Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

site to site VPN overlapping subnets on Cisco ASA 5540

I am looking for some advice on how to properly setup a site to site VPN when there's overlapping subnets.

i.e. if you have 172.16.x.x on both sides of the tunnel.

I have set this up before and here's my config but I'm not sure if this is the best way to do it.

access-list outboundpolicy_NAT extended permit ip 19

static (outside,inside) netmask

static (inside,outside) access-list outboundpolicy_NAT

On the VPN tunnel, I configured this ACL:

access-list tac-VPN-domain extended permit ip


Re: site to site VPN overlapping subnets on Cisco ASA 5540

If both sides are using identical encryption domains, you'll need to:

a.) Configure Policy NAT on both ends of the tunnel

b.) Use a Public <-> Private or Public <-> Public VPN connection

c.) Change the internal subnet of one firewall.

The key thing to remember about option A it that you have to policy NAT on both sides since the subnets are identical:

Example of config on ASA:

access-list Policy_NAT extended permit ip

static (inside,outside) access-list Policy_NAT

access-list crypto_ACL extended permit ip

Also remember that the policy NAT static statement will need to be located above any other static NAT statements.

CreatePlease to create content