Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site-toSite VPN access to HO servers with overlapped Remote site network..

Hi All,

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only  My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.

Kinldy help how can i achieve this...your early advice is much appreciated..

Thanks in advance
Shanil

1 ACCEPTED SOLUTION

Accepted Solutions

Site-toSite VPN access to HO servers with overlapped Remote site

Hi Shanil,

I think the setup at your end is somewhat like this:

You want the remote location to access the servers in subnet 192.168.200.0/24 behind the HQ ASA. In this case you can NAT the traffic coming from remote location to a different subnet when going to 192.168.200.0/24.

i.e. the subnet 192.168.10.0/24 will look like 192.168.51.0/24 when it goes to 192.168.200.0

This can be done by using policy based natting:

access-list policy-nat permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.51.0 access-l policy-nat

In the crypto access-list on the remote side you will have:

access-list cryptoacl permit ip 192.168.51.0 255.255.255.0 192.168.200.0 255.255.255.0 (this is because the remote side will see 192.168.51.0/24 and not the 192.168.10.0/24)

Similarly on the HQ end the crypto accesslist will be

access-list xxxxx permit ip 192.168.200.0 255.255.255.0 192.168.51.0 255.255.255.0

Please try this and let me knwo if this helps.

Thanks,

Vishnu Sharma

2 REPLIES

Site-toSite VPN access to HO servers with overlapped Remote site

Hi Shanil,

I think the setup at your end is somewhat like this:

You want the remote location to access the servers in subnet 192.168.200.0/24 behind the HQ ASA. In this case you can NAT the traffic coming from remote location to a different subnet when going to 192.168.200.0/24.

i.e. the subnet 192.168.10.0/24 will look like 192.168.51.0/24 when it goes to 192.168.200.0

This can be done by using policy based natting:

access-list policy-nat permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.51.0 access-l policy-nat

In the crypto access-list on the remote side you will have:

access-list cryptoacl permit ip 192.168.51.0 255.255.255.0 192.168.200.0 255.255.255.0 (this is because the remote side will see 192.168.51.0/24 and not the 192.168.10.0/24)

Similarly on the HQ end the crypto accesslist will be

access-list xxxxx permit ip 192.168.200.0 255.255.255.0 192.168.51.0 255.255.255.0

Please try this and let me knwo if this helps.

Thanks,

Vishnu Sharma

New Member

Site-toSite VPN access to HO servers with overlapped Remote site

Thank you very much Vishunu..i clearly understood the config.

it may take a month to establish this..i will revert once its done..once agian thanks for your help..

332
Views
0
Helpful
2
Replies
CreatePlease to create content