cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
973
Views
0
Helpful
9
Replies

VPN w/overlapping networks

mike
Level 1
Level 1

I am going to be setting up a site-to-site VPN connection between 2 locations. Site A is local and site B is remote. Site B is another company that will be running software on a server at Site A. I do not have access to any of the equipment at site B.

Here is the issue....Site B has multiple VPN tunnels with other customers of thiers. One of their existing tunnels is already configured using the same subent as Site A. So, they cannot use the same subnet for our VPN setup. The Site A subnet is 192.168.11.0/24 and cannot be changed due to some equipment that is hard coded with the IP information. So, Site B wants to use 10.133.6.0/32. I need to translate the 10.133.6.0/32 to my local so traffic can cross the VPN. Ultimately, the server is the only thing that needs to traverse the tunnel. It's IP is 192.168.11.55.

I have a Cisco ASA 5505 and I am using the ASDM to configure the tunnel.

Any help would be appreciated.

Thanks

Mike

1 Accepted Solution

Accepted Solutions

Hello Mike,

Ok so here is what you need:

access-list whatever permit ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0

nat (inside) 11 access-list whatever

global (inside) 11 10.133.6.0 255.255.255.0

Now on the crypto ACL for the VPN traffic between site A and Site B

access-list VPN_whatever permit ip  10.133.6.0 255.255.255.0 site_b_subnet 255.255.255.0

That's all you need on site A! On site B all you need to do is to configure the crypto ACL with the

10.133.6.0 subnet.

access-list VPN_whatever permit ip   site_b_subnet 255.255.255.0  10.133.6.0 255.255.255.0

That's it!

Let me know if you have any other question,

Do rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mike,

I can help you, but I will use CLI commands as its so much faster and easier for troubleshooting purposes.

All you need is to do is to change some of the Nat configuration and Crypto ACL on the Site A.

What version are you running on the ASA on site A?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio,

I am running Version 8.2

Thanks

Mike

Hello Mike,

Ok so here is what you need:

access-list whatever permit ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0

nat (inside) 11 access-list whatever

global (inside) 11 10.133.6.0 255.255.255.0

Now on the crypto ACL for the VPN traffic between site A and Site B

access-list VPN_whatever permit ip  10.133.6.0 255.255.255.0 site_b_subnet 255.255.255.0

That's all you need on site A! On site B all you need to do is to configure the crypto ACL with the

10.133.6.0 subnet.

access-list VPN_whatever permit ip   site_b_subnet 255.255.255.0  10.133.6.0 255.255.255.0

That's it!

Let me know if you have any other question,

Do rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Im not seeing any nat exemption from site A to site B.Is it possible to send traffic across the tunnel without nat exemption?

Hello Zill,

In deed as we want to nat the Site A network to something different, in this particular case the no nat configuration is not requried as we will not use it.

Let me know if this is clear enough or if I can do something else to help.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio,

I have entered most of the above commands. However, I am not sure what to put for the VPN_whatever name. Is this the name of the crypto map? or the tunnel group?

Sorry for the noob questions. Just trying to get a handle on all of this.

Thanks for all your help.

Mike

Hello Mike,

Do not worry, the whatever means you can name the access-list whatever you want.Lol

I mean call it on a way that will be easy to understand is used to the Policy nat and the VPN.

Lets call it VPN_ACL.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for all your help Julio. The tunnel is up and running!

I ended up not needing the global (inside) or NAT (inside) as we ended up doing a static IP to IP route so traffic only goes between 2 IP addresses instead of being wide open.

Other than that, what you gave me worked and made more sense once it was in place and I started running packet traces to test.

Thanks again!!

Mike

Hello Mike,

My pleasure.

Have a great day.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: