S2S VPN between two ASA 5510s with identical inside IPv4 networks?
I've been asked to set up a site-to-site VPN between two sites running ASA 5510s, but their inside networks use some identical routes. For example, each side has a 10.10.0.0/16 inside route. Internet connectivity at each site is working, each site has static IPv4 outside addresses, and each side runs identical ASA and ASDM software (8.0(2) / 6.0(2)).
The last time I saw something like this on a 'regular' Cisco 800 series router, the admin configured 'shadow' routes that used a different network range, and then used one-to-one NAT (I think) to present each side to the other. In this example I'd see adding one new route each to each side:
Then I'd set up the tunnel so side1's local network was 10.10.0.0/16 and remote network was 10.12.0.0/16, and side2's local network was 10.10.0.0/16 and remote was 10.11.0.0/16. Side1 would tunnel to 10.12.0.0/16 and side2 would tunnel to 10.11.0.0/16.
The next part is where I'm getting confused. On side1 I want to present 10.10.0.0/16 as 10.11.0.0/16 to side2, and on side2 to present 10.10.0.0/16 as 10.12.0.0/16 to side1, in a one-to-one translation. On the Cisco 800 I saw this done as:
side1(config)#ip access-list extended side1list permit ip 10.10.0.0 0.0.255.255 any side1(config)#ip nat pool side1pool 10.11.1.1 10.11.254.254 netmask 255.255.0.0 side1(config)#ip nat vpn1 source list side1list pool side1pool
side2(config)#ip access-list extended side2list permit ip 10.10.0.0 0.0.255.255 any side2(config)#ip nat pool side2pool 10.12.1.1 10.12.254.254 netmask 255.255.0.0 side2(config)#ip nat vpn2 source list side2list pool side2pool
...or something like that. I might have things reversed right now. But the end result is 10.10.0.0/16 on one side would look like 10.11.0.0/16 or 10.12.0.0/16 depending on which side you were on.
I have access to ASDM on both ASA devices so I can point/click through the VPN setup and make sure the tunnel is up. I'm just a bit lost on the rest. I don't currently have access to the hardware to test, but I will in a few days. I hear this is a pretty common problem when joining networks that haven't been joined before, but a quick search didn't reveal any obvious threads or how-tos.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...