New VPN has the same IP subnet range as another, NAT?
I am using a ASA 5520, I have a VPN setup already to a remote office using subnet 172.16.x.x/16 and it all works well and I don't want to change this. Now I need to setup another VPN to another office which is also using 172.16.x.x/16. This new office need to connect to servers where I'm based (where the ASA is).
How can I get round this?
Would I create a VPN using an IP range that isn't used anywhere else for this regional office?
HQ (me) - 192.168.21.x/24
Remote site - 192.168.31.x/24
That way phase 2 will come up although nothing would work.
Now would I need to NAT and where? The remote site that is on 172.16.x.x (now on 192.168.31.x) needs to connect to about 10 servers on 192.168.21.x/24
I've never done NAT before and it sounds difficult.
Re: New VPN has the same IP subnet range as another, NAT?
In the above example, and likely your situation, it becomes a 1-to-1 translation:
Private network Site A:
10.1.1.0/24 == 192.168.1.0/24
Private network Site B:
10.1.1.0/24 == 192.168.2.0/24
Site A NAT config:
access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
static (in,out) 192.168.1.0 access-list NAT_VPN
Site B NAT config:
access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
static (in,out) 192.168.2.0 access-list NAT_VPN
When a PC at Site B (ie. 10.1.1.201) wants to talk to a mail server at Site A (ie. 10.1.1.31), it would send its request to 192.168.1.31. Notice that network defined in the encryption domain of site B's firewall. Site B NAT's the src address from 10.1.1.201 to 192.168.2.201.
The server at Site A would see this request coming from 192.168.2.201. Site A's firewall would then NAT the response by changing the src IP from 10.1.1.31 to 192.168.1.31, and the cycle continues.
As far as I know, the policy nat translation needs to be at the *top* of the list of static translations. You may need to remove all other statics, add the policy nat static, and then add them back in.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...