Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

overcoming overlapping encryption domains

I have a site to site VPN being set up between 2 515s, each running 6.3(5).

We have overlapping encryption domains (the servers we need to access at the remote location are in a network we already have locally defined).

How can I overcome this?

Servers at the remote site are exposed to the internet for public access.

I believe the cookie cutter solution is to create static translations for all the servers we need to access (to public IPs) and then our match list ACL just references the public IPs (after translations). Some of the servers at the remote site however are not internet facing and I would prefer to not have to A) use up public IPs with statics and B) not add translations to public IPs unless absolutely needed...(you know...defense in depth, another layer of security all that jazz...if someone adds a broad ACL by mistake it doesnt immediatly expose my internal servers if they dont have public translations in place).

Do I have any options?

I had this grand plan where I was hide-NATing traffic leaving my end and creating a network block static on the other end mapping the servers to a virtual non-routable network. Then I would hit these non-routable IPs that I made up to access the servers. Sadly I didnt look 2 steps ahead and realize this would preclude me from being able to add the public xlates required to expose these servers to the internet.

Any other ideas?

New Member

Re: overcoming overlapping encryption domains

if you can upload a drawing of this, i'll get you going.

Cisco Employee

Re: overcoming overlapping encryption domains

CreatePlease to create content