setting up a VPN tunnel with overlapping private IP addresses on Cisco ASA

Discussion in 'Cisco' started by Mike Rahl, Jan 10, 2007.

  1. Mike Rahl

    Mike Rahl Guest

    Hi, everyone

    I was wondering if you guys could give me a hand with something. I
    have a client who needs to set up a secure VPN tunnel between his ASA
    5520 and a PIX 515 for another company in order to give 2 specific
    computers on each side access to each other.

    The problem is, on each side, the IP addresses are the exact same.
    Example: 1 computer on each side has the IP address 10.10.10.1/16, and
    the other computer on each side has 10.10.10.2/16, thus causing an
    overlap.

    I want to be able to set up a VPN tunnel on each side to give each
    machine access to the other. I cannot install a router behind either
    firewall (as the client doesn't have a spare).

    I had thought of NATting the client's private range addresses of
    10.10.10.1 and .2 to a single public address (which the client is able
    to supply me with), then establish a VPN tunnel on each side only
    publishing the public IP address through the tunnel. On each side,
    rules would be set up so that any queries to that specific public
    address would be directed to the appropriate private IP address. Each
    machine would only send queries to the public IP address. The only
    problem is, I'm not exactly sure how to configure it.

    Does anyone have an idea how to configure this?

    Thanks very much!
     
    Mike Rahl, Jan 10, 2007
    #1
    1. Advertisements

  2. Mike Rahl

    response3 Guest

    Do it exactly as you would using private IP's, but don't include a NAT
    0 statement, and use public IP's in your interesting traffic
    statements. Here's a sample of what you need (Not sure about the ASA
    b/c it runs PIX OS 7.x)


    access-list VPN_ACL permit ip host <local NAT'd IP> host <remote NAT'd
    IP>

    ! This static may or may not be needed. If not, then the workstation
    ! will use the NAT pool or PAT as defined, and the remote VPN box
    ! will need to know this pool in it's interesting traffic ACL.

    static (inside,outside) <Desired NAT'd Public IP> <LAN IP> netmask
    255.255.255.255 0 0

    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto map vpn_map 80 ipsec-isakmp
    crypto map vpn_map 80 match address VPN_ACL
    crypto map vpn_map 80 set peer 1.1.1.1
    crypto map vpn_map 80 set transform-set ESP-3DES-SHA
    crypto map vpn_map interface outside

    isakmp enable outside

    isakmp key <xxxxxxxxx> address 1.1.1.1 netmask 255.255.255.255 no-xauth
    no-config-mode

    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400

    Hope that helps.

    -Brian
     
    response3, Jan 11, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.