Solved

Connect two subnets with same IP range over VPN through third subnet

Posted on 2013-02-04
4
975 Views
Last Modified: 2013-02-19
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.

I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.

There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.

I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.

Site A:
192.168.1.0/24

Site B:
192.168.20.0/24

Site c:
192.168.1.0/24

The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B,  the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.

Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.

Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
 subnet 192.168.1.0 255.255.255.0
object network obj-berp
 host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp   destination static obj-berp obj-berp

Site B, version 8.4(4)1
object network obj-cerp
 host 192.168.1.18
object network obj-berp
 host 192.168.20.18
object network obj-aerp
 host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
0
Comment
Question by:bfg01
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 250 total points
Comment Utility
I'd do it with source and destination NAT on your side. Talk to the partner company, find a 192.168.x.0/24 network they don't use and nat all your source IP addresses from site A into this network. And for the destination ERP take another 192.168.x.x (like you do the NAT with 10.3.5.18 and 192.168.20.18) and let people use this IP address for the ERP system. Favorably you enter this address into DNS and let people use the name of the system. That adds flexibility for future changes.
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
Comment Utility
just to add to mat1458's answer,

the cryptomap has to cover the NATted address/subnet rather than the original address.
the cryptomaps on both of the ASAs and the ERP suppliers firewall will all have to be adjusted.
0
 

Author Closing Comment

by:bfg01
Comment Utility
Thank you for the input, mat1458 and ArneLovius. The suggestions are good ones. Unfortunately the ERP supplier is unwilling to make changes at this time, and after many hours we've been unable to get this to work the way we had hoped.

We've worked around it by setting up a remote desktop server at site B for now.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
You could do it with two layers of NAT, it would be messy, but not impossible...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now