Solved

Connect two subnets with same IP range over VPN through third subnet

Posted on 2013-02-04
4
991 Views
Last Modified: 2013-02-19
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.

I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.

There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.

I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.

Site A:
192.168.1.0/24

Site B:
192.168.20.0/24

Site c:
192.168.1.0/24

The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B,  the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.

Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.

Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
 subnet 192.168.1.0 255.255.255.0
object network obj-berp
 host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp   destination static obj-berp obj-berp

Site B, version 8.4(4)1
object network obj-cerp
 host 192.168.1.18
object network obj-berp
 host 192.168.20.18
object network obj-aerp
 host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
0
Comment
Question by:bfg01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 250 total points
ID: 38853826
I'd do it with source and destination NAT on your side. Talk to the partner company, find a 192.168.x.0/24 network they don't use and nat all your source IP addresses from site A into this network. And for the destination ERP take another 192.168.x.x (like you do the NAT with 10.3.5.18 and 192.168.20.18) and let people use this IP address for the ERP system. Favorably you enter this address into DNS and let people use the name of the system. That adds flexibility for future changes.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38854549
just to add to mat1458's answer,

the cryptomap has to cover the NATted address/subnet rather than the original address.
the cryptomaps on both of the ASAs and the ERP suppliers firewall will all have to be adjusted.
0
 

Author Closing Comment

by:bfg01
ID: 38906651
Thank you for the input, mat1458 and ArneLovius. The suggestions are good ones. Unfortunately the ERP supplier is unwilling to make changes at this time, and after many hours we've been unable to get this to work the way we had hoped.

We've worked around it by setting up a remote desktop server at site B for now.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906831
You could do it with two layers of NAT, it would be messy, but not impossible...
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question