Cisco Site to Site VPN - Same Subnet

By thefarewellnote
in Smart Home, Network & Security

 Share

Recommended Posts

Experienced

thefarewellnote

Posted
Posted

We have an ASA 5510 and one of our VLANs are in use at the other end of a site to site VPN we have in place.  

 
The other side is managed by another company and they have put in all the routing on their side so that we just have to "nat 10.40.10.0/24 to 10.147.135.0"  for the VLAN to able to traverse the tunnel.  
 
 
I add network objects for all the subnets 
 
NET-10.40.10.0   = VLAN that is on the our side, 10.40.10.0. This is the VLAN that can't access the VPN
 
NET-10.147.135.0 = What they want the 10.40.10.0 subnet to be translated too for the VPN tunnel
 
NET-10.0.0.0 = Their subnet on their side (its a large corporation) It is a /8 network
 
I have added the NET-10.147.135.0 object to the ACL that allows our networks to talk to their VPN 
 
When I add the NAT rule it kills the Internet connection for that VLAN and I am not able to ping their network either 
 
nat (inside,outside) source static NET-10.40.10.0 NET-10.0.0.0
                      destination static NET-10.147.135.0  NET-10.147.135.0
 
I know I am missing something so simple but I have been hitting my head against the wall the past few days now on this.  
 
Link to comment
https://www.neowin.net/forum/topic/1238536-cisco-site-to-site-vpn-same-subnet/
Share on other sites
Grand Master

+John Teacake MVC

Posted
  • MVC
Posted
Probably not related to your problem but the NET-10.0.0.0 = Their subnet on their side (its a large corporation) It is a /8 network

 

That is often used internally also! some router misconfigurations may end up going to the company that owns said block by private company's. 

Grand Master

offroadaaron

Posted
Posted

I always find it much easier to use the ASDM VPN wizard because you configure the local and distant end private ranges and then you check a box and it does the NAT rule for you.

I agree the ASDM is very good for most configuration. Cmdline is better for troubleshooting.

Grand Master

Stokkolm

Posted
Posted

I agree the ASDM is very good for most configuration. Cmdline is better for troubleshooting.

That's debatable when you're troubleshooting a VPN connection, but ok, I can see why some would prefer it. Definitely the debug command will be useful from the command line. 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

why can't you have one of the ends switch their ip range to something else.  The 10.x subnet is huge, there has to be something that isn't in use that could be easily changed (esp if it is a dhcp'd lan or wireless network).  It will make your life a million times easier, not to mention troubleshooting future issues will be much easier as well.

Grand Master

trek

Posted
Posted

Looks like this CCIE's blog has exactly what you're trying to do i.e. static nat one one side before traversing the tunnel -

 

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/

 

They probably have some crazy VLSM going on in the /8 so they can't change the addressing. OP might be able to, but not worth it just for one tunnel.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft releases major feature updates for stock Windows 11 apps

      By matthiew · Posted

      My Photos app is version 2026.11050.1001.0 and it remembers the window size and position. My Snipping Tool is version 11.2602.49.0 and it can capture the taskbar.
    • MusicBee 3.6.9668

      By Copernic · Posted

      MusicBee 3.6.9668 by Razvan Serea MusicBee is an application geared toward managing extensive music collections, easy to use and with a comprehensive feature set. It makes it easy to organize, find, and play music files on your computer, on portable devices, and on the Web. It provides playback of a wide range of audio formats, smart playlists with the ability to discover and play new music from the web, advanced tag editing with automated artwork and tag look up, folder monitoring, automated file re-organization, portable device synchronization, and secure CD ripping with AccurateRip verification. MusicBee features: Supported formats: MP3, AAC, M4A, MPC, OGG, FLAC, APE, TAK, WV, WMA and WAV. Audio CDs: Audio CD playback and ripping (with CD-Text capabilities) is supported. CD tracks can be ripped (in fast or secure mode) as individual files or as a single album with embedded cuesheet. Conversion: Conversion from and to all supported formats as metadata are preserved. Synchronization of tags only (in case that the output file already exists) instead of reencoding is possible. ReplayGain support: both playback and calculation. File Organization: Organization and renaming of music files into folders and files based on tag values such as artist, album, name, track number, etc. that can be specified. MusicBee can do this automatically for all files in a music library or the user can choose the files or folders themselves. Web Browsing: Browsing of the web using Mozilla's XULRunner environment. Scrobbling: Tracks played from MusicBee can optionally be scrobbled to Last.fm. Customizable user interface layout. Customizable keyboard shortcuts. MiniLyrics support Download: MusicBee 3.6.9668 | MusicBee Portable | ~9.0 MB (Freeware) Download: Windows Store Edition View: MusicBee Home page | Release Notes | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Hey Google, these are the Gemini features I want in 2026

      By zikalify · Posted

      On xiaomi hyperos there's also an option to disable google assistant. I've got everything disabled. Only thing I do have installed is a web wrapped for duck.ai which claims to let you use various AIs anonymously
    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By WrongHead™ · Posted

      I need to understand the rationale of not shipping all of these K2 improvements in a single update/release. It's giving "we will fix Windows 11 but no commitments". It seems to me that they just announce these improvements just to appease the community.
    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By WrongHead™ · Posted

      The term "RTM" is long gone starting with Windows 10. Every current release is a GA build. This is the result of MS making Windows as a Service (WaaS).

  • Recent Achievements

    • Conversation Starter
      sumytbe earned a badge
      Conversation Starter
    • One Year In
      B4dM1k3 earned a badge
      One Year In
    • One Year In
      DarkWun earned a badge
      One Year In
    • Dedicated
      Almohandis earned a badge
      Dedicated
    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      520
    2. 2
      +Edouard
      185
    3. 3
      PsYcHoKiLLa
      87
    4. 4
      Michael Scrip
      81
    5. 5
      Steven P.
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!