Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN - ASA to PIX - Same Subnet Inside

Chaps,

I have an unusual scenario whereby i require a site to site vpn tunnel between a version 7 cisco pix and a version 8 cisco asa which have the same ip subnet at each endpoint.  Is it possible to create such a site to site tunnel or will i need to change one of the remote endpoints?

Thanks

Nick

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site to Site VPN - ASA to PIX - Same Subnet Inside

Hi Nicholas,

To allow the traffic to flow through the tunnel when having the same addressing scheme on both ends, you should NAT the VPN traffic.

ie.

Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

Site A config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT

access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The idea is that Site A will be translatefd to 192.168.1.0 when going to Site B, and Site B will be translated to 192.168.2.0 when going to Site A.

Hope it makes sense.


Federico.

1 REPLY

Re: Site to Site VPN - ASA to PIX - Same Subnet Inside

Hi Nicholas,

To allow the traffic to flow through the tunnel when having the same addressing scheme on both ends, you should NAT the VPN traffic.

ie.

Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

Site A config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT

access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The idea is that Site A will be translatefd to 192.168.1.0 when going to Site B, and Site B will be translated to 192.168.2.0 when going to Site A.

Hope it makes sense.


Federico.

3840
Views
0
Helpful
1
Replies