Connect two subnets with same IP range over VPN through third subnet
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.
I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.
There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.
I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.
Site A:
192.168.1.0/24
Site B:
192.168.20.0/24
Site c:
192.168.1.0/24
The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B, the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.
Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.
Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
subnet 192.168.1.0 255.255.255.0
object network obj-berp
host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp destination static obj-berp obj-berp
Site B, version 8.4(4)1
object network obj-cerp
host 192.168.1.18
object network obj-berp
host 192.168.20.18
object network obj-aerp
host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.
There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.
I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.
Site A:
192.168.1.0/24
Site B:
192.168.20.0/24
Site c:
192.168.1.0/24
The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B, the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.
Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.
Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
subnet 192.168.1.0 255.255.255.0
object network obj-berp
host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp destination static obj-berp obj-berp
Site B, version 8.4(4)1
object network obj-cerp
host 192.168.1.18
object network obj-berp
host 192.168.20.18
object network obj-aerp
host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could do it with two layers of NAT, it would be messy, but not impossible...
ASKER
We've worked around it by setting up a remote desktop server at site B for now.