We need to setup a VPN from London to our Milan office, however we have got the same IP ranges each side of the tunnel. Milan users only need to access London servers, London users do not need to access Milan servers.
Please see the simple attach diagram. we don't manage the Mialn VPN/Firewall (SonicWall)
This is my exact same problem, but I need to implement the solution on a Cisco 881 - some of the commands are different, most notably the 'static (inside,outside) ...' command - what would be the equivalent for the 881?
It's probably my bad network drawing skills, London is an ASA and Milan is a SonicWall. The SonicWall is not managed by me, and the people in Milan don't know how to use so they have to get someone in costing money. Is there any way I can control this all from my ASA? They (only 5 users) only need to access servers on the inside of my ASA in London.
I was theory thinking, if we created a VPN from London to Milan where the SA's were 2 different subnets we don't use that way the phase 1 and phase 2 will be complete, then we have to then fix the NAT or PAT?
e.g The subnets that clash are all on the 192.168.x.x/24 range (some clash some don'y - messy), so the SA's could be:
Milan - 172.16.1.0/24
London - 172.16.2.0/24
I'm thinking if Milan only need to come inbound to London, and they need to get to a server in London on IP 192.168.21.1 (actual IP) then I could tell Milan it's on 172.16.1.10 so the traffic comes over the VPN to London which see a request for 172.16.1.10 which NAT's to 192.168.21.1.
I may be off here , but your theory is exactly what you want to do, but you really only do it on one side. Unfortunately there is a caveat in this scenario (at least with Cisco equipment). The tunnel can only be established from one side. By that I mean Milan can send interesting traffic to London and the tunnel will be built. If the tunnel is down and London wants to connect to Milan, the tunnel will never be built. This doesn't fit well since you have no control over Milan and it's a Sonicwall. Would it be easier/cheaper to re-address Milan?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :