Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

S2S VPN between two ASA 5510s with identical inside IPv4 networks?

I've been asked to set up a site-to-site VPN between two sites running ASA 5510s, but their inside networks use some identical routes. For example, each side has a inside route. Internet connectivity at each site is working, each site has static IPv4 outside addresses, and each side runs identical ASA and ASDM software (8.0(2) / 6.0(2)).

The last time I saw something like this on a 'regular' Cisco 800 series router, the admin configured 'shadow' routes that used a different network range, and then used one-to-one NAT (I think) to present each side to the other. In this example I'd see adding one new route each to each side:

side1(config)#ip route

side2(config)#ip route

Then I'd set up the tunnel so side1's local network was and remote network was, and side2's local network was and remote was Side1 would tunnel to and side2 would tunnel to

The next part is where I'm getting confused. On side1 I want to present as to side2, and on side2 to present as to side1, in a one-to-one translation. On the Cisco 800 I saw this done as:

side1(config)#ip access-list extended side1list
     permit ip any
side1(config)#ip nat pool side1pool netmask
side1(config)#ip nat vpn1 source list side1list pool side1pool

side2(config)#ip access-list extended side2list
     permit ip any
side2(config)#ip nat pool side2pool netmask
side2(config)#ip nat vpn2 source list side2list pool side2pool

...or something like that. I might have things reversed right now. But the end result is on one side would look like or depending on which side you were on.

I have access to ASDM on both ASA devices so I can point/click through the VPN setup and make sure the tunnel is up. I'm just a bit lost on the rest. I don't currently have access to the hardware to test, but I will in a few days. I hear this is a pretty common problem when joining networks that haven't been joined before, but a quick search didn't reveal any obvious threads or how-tos.



  • VPN
Everyone's tags (1)