Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA 5515 S2S VPN Issue - Overlapping Networks

Hi All,

I am looking for some help with the following problem. I have a client that I am trying to set up a S2S VPN with but have run into an issue with over lapping networks

I am setting it up from my DMZ to their local network but the trouble is their local network and my local network overlap.

My ASA Interfaces are

inside                 172.30.0.1      255.252.0.0     

DMZ                    172.19.140.1    255.255.255.0

My Customers Local Lan is 172.30.80.0 255.255.240.0

The VPN goes from my DMZ to customer site. If I did not have over lapping networks the following config would bring up the VPN

name *.*.*.* Customer_VPN
!
object-group network Customer_REMOTE_NETS
  network-object 172.30.80.0 255.255.240.0
  !
access-list Customer_VPN permit ip object obj-172.19.140.0 object-group Customer_REMOTE_NETS
!
nat (DMZ,OUTSIDE) source static obj-172.19.140.0 obj-172.19.140.0 destination static Customer_REMOTE_NETS Customer_REMOTE_NETS no-proxy-arp route-lookup
!
crypto map S2S 430 match address Customer_VPN
crypto map S2S 430 set peer *.*.*.*
crypto map S2S 430 set ikev1 transform-set ESP-3DES-SHA
crypto map S2S 430 set security-association lifetime seconds 3600
crypto map S2S 430 set security-association lifetime kilobytes 4608000
!
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
 pre-shared-key ********
!

Due to the overlapping networks the interesting traffic tries to go into the inside interface rather than bringing up the tunnel

I am not sure how to solve this

I cannot NAT my DMZ traffic as it will make no difference

My customer cannot NAT his traffic.

I think the only option I have is to set up a static route to customers LAN but I am not sure who to tie that into the config?

Is there something else I can do that I am not thinking of?

Any advice or suggestions would be welcome

Thanks

Gary

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

 Hi garybrophy You can do a

 

Hi garybrophy

 

You can do a NAT in order to solve the issue with the overlapping in one ASA:

 

For example:

 

nat (inside,outside) 172.30.0.1 translated destination  remote-translated 172.30.80.0 

 

You have to use different IPs for the translated ones.

 

Hope this help

 

 

1 REPLY
Silver

 Hi garybrophy You can do a

 

Hi garybrophy

 

You can do a NAT in order to solve the issue with the overlapping in one ASA:

 

For example:

 

nat (inside,outside) 172.30.0.1 translated destination  remote-translated 172.30.80.0 

 

You have to use different IPs for the translated ones.

 

Hope this help

 

 

292
Views
0
Helpful
1
Replies
CreatePlease to create content