Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

S2S VPN between two ASA 5510s with identical inside IPv4 networks?

I've been asked to set up a site-to-site VPN between two sites running ASA 5510s, but their inside networks use some identical routes. For example, each side has a 10.10.0.0/16 inside route. Internet connectivity at each site is working, each site has static IPv4 outside addresses, and each side runs identical ASA and ASDM software (8.0(2) / 6.0(2)).

The last time I saw something like this on a 'regular' Cisco 800 series router, the admin configured 'shadow' routes that used a different network range, and then used one-to-one NAT (I think) to present each side to the other. In this example I'd see adding one new route each to each side:

side1(config)#ip route 10.11.0.0 255.255.0.0 10.10.0.254

side2(config)#ip route 10.12.0.0 255.255.0.0 10.10.0.254

Then I'd set up the tunnel so side1's local network was 10.10.0.0/16 and remote network was 10.12.0.0/16, and side2's local network was 10.10.0.0/16 and remote was 10.11.0.0/16. Side1 would tunnel to 10.12.0.0/16 and side2 would tunnel to 10.11.0.0/16.

The next part is where I'm getting confused. On side1 I want to present 10.10.0.0/16 as 10.11.0.0/16 to side2, and on side2 to present 10.10.0.0/16 as 10.12.0.0/16 to side1, in a one-to-one translation. On the Cisco 800 I saw this done as:

side1(config)#ip access-list extended side1list
     permit ip 10.10.0.0 0.0.255.255 any
side1(config)#ip nat pool side1pool 10.11.1.1 10.11.254.254 netmask 255.255.0.0
side1(config)#ip nat vpn1 source list side1list pool side1pool

side2(config)#ip access-list extended side2list
     permit ip 10.10.0.0 0.0.255.255 any
side2(config)#ip nat pool side2pool 10.12.1.1 10.12.254.254 netmask 255.255.0.0
side2(config)#ip nat vpn2 source list side2list pool side2pool

...or something like that. I might have things reversed right now. But the end result is 10.10.0.0/16 on one side would look like 10.11.0.0/16 or 10.12.0.0/16 depending on which side you were on.

I have access to ASDM on both ASA devices so I can point/click through the VPN setup and make sure the tunnel is up. I'm just a bit lost on the rest. I don't currently have access to the hardware to test, but I will in a few days. I hear this is a pretty common problem when joining networks that haven't been joined before, but a quick search didn't reveal any obvious threads or how-tos.

--

 

  • VPN
Everyone's tags (1)
36
Views
0
Helpful
0
Replies