setting up a VPN tunnel with overlapping private IP addresses on Cisco ASA

Discussion in 'Cisco' started by Mike Rahl, Jan 10, 2007.

  1. Mike Rahl

    Mike Rahl Guest

    Hi, everyone

    I was wondering if you guys could give me a hand with something. I
    have a client who needs to set up a secure VPN tunnel between his ASA
    5520 and a PIX 515 for another company in order to give 2 specific
    computers on each side access to each other.

    The problem is, on each side, the IP addresses are the exact same.
    Example: 1 computer on each side has the IP address, and
    the other computer on each side has, thus causing an

    I want to be able to set up a VPN tunnel on each side to give each
    machine access to the other. I cannot install a router behind either
    firewall (as the client doesn't have a spare).

    I had thought of NATting the client's private range addresses of and .2 to a single public address (which the client is able
    to supply me with), then establish a VPN tunnel on each side only
    publishing the public IP address through the tunnel. On each side,
    rules would be set up so that any queries to that specific public
    address would be directed to the appropriate private IP address. Each
    machine would only send queries to the public IP address. The only
    problem is, I'm not exactly sure how to configure it.

    Does anyone have an idea how to configure this?

    Thanks very much!
    Mike Rahl, Jan 10, 2007
    1. Advertisements

  2. Mike Rahl

    response3 Guest

    Do it exactly as you would using private IP's, but don't include a NAT
    0 statement, and use public IP's in your interesting traffic
    statements. Here's a sample of what you need (Not sure about the ASA
    b/c it runs PIX OS 7.x)

    access-list VPN_ACL permit ip host <local NAT'd IP> host <remote NAT'd

    ! This static may or may not be needed. If not, then the workstation
    ! will use the NAT pool or PAT as defined, and the remote VPN box
    ! will need to know this pool in it's interesting traffic ACL.

    static (inside,outside) <Desired NAT'd Public IP> <LAN IP> netmask 0 0

    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto map vpn_map 80 ipsec-isakmp
    crypto map vpn_map 80 match address VPN_ACL
    crypto map vpn_map 80 set peer
    crypto map vpn_map 80 set transform-set ESP-3DES-SHA
    crypto map vpn_map interface outside

    isakmp enable outside

    isakmp key <xxxxxxxxx> address netmask no-xauth

    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400

    Hope that helps.

    response3, Jan 11, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.