Solved

Connect two subnets with same IP range over VPN through third subnet

Posted on 2013-02-04
4
982 Views
Last Modified: 2013-02-19
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.

I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.

There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.

I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.

Site A:
192.168.1.0/24

Site B:
192.168.20.0/24

Site c:
192.168.1.0/24

The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B,  the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.

Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.

Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
 subnet 192.168.1.0 255.255.255.0
object network obj-berp
 host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp   destination static obj-berp obj-berp

Site B, version 8.4(4)1
object network obj-cerp
 host 192.168.1.18
object network obj-berp
 host 192.168.20.18
object network obj-aerp
 host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
0
Comment
Question by:bfg01
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 250 total points
ID: 38853826
I'd do it with source and destination NAT on your side. Talk to the partner company, find a 192.168.x.0/24 network they don't use and nat all your source IP addresses from site A into this network. And for the destination ERP take another 192.168.x.x (like you do the NAT with 10.3.5.18 and 192.168.20.18) and let people use this IP address for the ERP system. Favorably you enter this address into DNS and let people use the name of the system. That adds flexibility for future changes.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38854549
just to add to mat1458's answer,

the cryptomap has to cover the NATted address/subnet rather than the original address.
the cryptomaps on both of the ASAs and the ERP suppliers firewall will all have to be adjusted.
0
 

Author Closing Comment

by:bfg01
ID: 38906651
Thank you for the input, mat1458 and ArneLovius. The suggestions are good ones. Unfortunately the ERP supplier is unwilling to make changes at this time, and after many hours we've been unable to get this to work the way we had hoped.

We've worked around it by setting up a remote desktop server at site B for now.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906831
You could do it with two layers of NAT, it would be messy, but not impossible...
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question