Cisco Site to Site VPN - Same Subnet

By thefarewellnote
in Smart Home, Network & Security

 Share

Recommended Posts

Experienced

thefarewellnote

Posted
Posted

We have an ASA 5510 and one of our VLANs are in use at the other end of a site to site VPN we have in place.  

 
The other side is managed by another company and they have put in all the routing on their side so that we just have to "nat 10.40.10.0/24 to 10.147.135.0"  for the VLAN to able to traverse the tunnel.  
 
 
I add network objects for all the subnets 
 
NET-10.40.10.0   = VLAN that is on the our side, 10.40.10.0. This is the VLAN that can't access the VPN
 
NET-10.147.135.0 = What they want the 10.40.10.0 subnet to be translated too for the VPN tunnel
 
NET-10.0.0.0 = Their subnet on their side (its a large corporation) It is a /8 network
 
I have added the NET-10.147.135.0 object to the ACL that allows our networks to talk to their VPN 
 
When I add the NAT rule it kills the Internet connection for that VLAN and I am not able to ping their network either 
 
nat (inside,outside) source static NET-10.40.10.0 NET-10.0.0.0
                      destination static NET-10.147.135.0  NET-10.147.135.0
 
I know I am missing something so simple but I have been hitting my head against the wall the past few days now on this.  
 
Link to comment
https://www.neowin.net/forum/topic/1238536-cisco-site-to-site-vpn-same-subnet/
Share on other sites
Grand Master

+John Teacake MVC

Posted
  • MVC
Posted
Probably not related to your problem but the NET-10.0.0.0 = Their subnet on their side (its a large corporation) It is a /8 network

 

That is often used internally also! some router misconfigurations may end up going to the company that owns said block by private company's. 

Grand Master

offroadaaron

Posted
Posted

I always find it much easier to use the ASDM VPN wizard because you configure the local and distant end private ranges and then you check a box and it does the NAT rule for you.

I agree the ASDM is very good for most configuration. Cmdline is better for troubleshooting.

Grand Master

Stokkolm

Posted
Posted

I agree the ASDM is very good for most configuration. Cmdline is better for troubleshooting.

That's debatable when you're troubleshooting a VPN connection, but ok, I can see why some would prefer it. Definitely the debug command will be useful from the command line. 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

why can't you have one of the ends switch their ip range to something else.  The 10.x subnet is huge, there has to be something that isn't in use that could be easily changed (esp if it is a dhcp'd lan or wireless network).  It will make your life a million times easier, not to mention troubleshooting future issues will be much easier as well.

Grand Master

trek

Posted
Posted

Looks like this CCIE's blog has exactly what you're trying to do i.e. static nat one one side before traversing the tunnel -

 

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/

 

They probably have some crazy VLSM going on in the /8 so they can't change the addressing. OP might be able to, but not worth it just for one tunnel.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.