?
Solved

Connect two subnets with same IP range over VPN through third subnet

Posted on 2013-02-04
4
Medium Priority
?
992 Views
Last Modified: 2013-02-19
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.

I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.

There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.

I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.

Site A:
192.168.1.0/24

Site B:
192.168.20.0/24

Site c:
192.168.1.0/24

The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B,  the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.

Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.

Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
 subnet 192.168.1.0 255.255.255.0
object network obj-berp
 host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp   destination static obj-berp obj-berp

Site B, version 8.4(4)1
object network obj-cerp
 host 192.168.1.18
object network obj-berp
 host 192.168.20.18
object network obj-aerp
 host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
0
Comment
Question by:bfg01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 750 total points
ID: 38853826
I'd do it with source and destination NAT on your side. Talk to the partner company, find a 192.168.x.0/24 network they don't use and nat all your source IP addresses from site A into this network. And for the destination ERP take another 192.168.x.x (like you do the NAT with 10.3.5.18 and 192.168.20.18) and let people use this IP address for the ERP system. Favorably you enter this address into DNS and let people use the name of the system. That adds flexibility for future changes.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 750 total points
ID: 38854549
just to add to mat1458's answer,

the cryptomap has to cover the NATted address/subnet rather than the original address.
the cryptomaps on both of the ASAs and the ERP suppliers firewall will all have to be adjusted.
0
 

Author Closing Comment

by:bfg01
ID: 38906651
Thank you for the input, mat1458 and ArneLovius. The suggestions are good ones. Unfortunately the ERP supplier is unwilling to make changes at this time, and after many hours we've been unable to get this to work the way we had hoped.

We've worked around it by setting up a remote desktop server at site B for now.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906831
You could do it with two layers of NAT, it would be messy, but not impossible...
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question