Help with NAT for overlapping scopes on IPSec tunnel
I have an ASA5510 on which I need to setup 2 IPSec tunnels to the same subnet on different networks:
My challenge is that I cannot touch the far end, and neither is willing to setup NAT on their side.I would like to be able to punch in 10.10.0.0 to get to hosts on CustomerA network, and 10.20.0.0 to get to hosts on CustomerB network.
So for example when I type in 10.10.0.1 it goes through the IPSec tunnel for customer A and ends up at host 172.16.0.1
And when I type in 10.20.0.1 it goes through the IPSec tunnel for Customer B and ends up at host 172.16.0.1
Re: Help with NAT for overlapping scopes on IPSec tunnel
You can mask your internal IPs to different ranges.
The problem is that the ASA will still receive on the same outside interface traffic from 172.16.0.0/16
How will the ASA differentiate which packets are from CustomerA and which from Customer B.
Let's say that your internal network is 192.168.1.0/24
So, you can create a NAT rule to translate the internal LAN to 10.10.10.0/24 when going to customer A and to 10.20.20.20/24 when going to Customer B.
The problem is that in order to NAT the incoming traffic from the customers, the ASA will receive a range of 172.16.0.0/16 for both customers. I don't see how the ASA will differentiate one customer from another going to the same destination.
Anyway, this is something I'm going to try to lab it and see if we can make it work (but I don't see how just now).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :