Solved

Connect two subnets with same IP range over VPN through third subnet

Posted on 2013-02-04
4
990 Views
Last Modified: 2013-02-19
We recently added a new location and connected to the two sites together using a site to site VPN between two ASA 5510s. We'll call my site, site A, and the new site, site B. Site B has an existing connection to another company, site C, where their ERP is located. The challenge is that Sites A and C have the same IP subnet, and people at A wish to access the ERP at C.

I'd like to set this up so that they can run the terminal client directly on their PCs, rather than going through a remote desktop server hosted at B, which is the backup plan.

There is no direct connection between A and C; changing A's IP subnet is not practical at this time; and given that C is another company, we have no influence over their IP addressing.

I am currently using static routing for 192.168.1.18 and a few other addresses from B to C, everything else in the overlapped IP subnet is being routed to A. Clients at B can access the ERP (at port 23) at C.

Site A:
192.168.1.0/24

Site B:
192.168.20.0/24

Site c:
192.168.1.0/24

The tunnel between A and B also carries 10.3.5.0/24. I want to set it up so that when any number of clients in A try to access 10.3.5.18, we have that traffic sent over the tunnel to B. At site B,  the incoming traffic for 10.3.5.18 has source address translated to 192.168.20.18 and destination translated to 192.168.1.18.

Here are the object and NAT configs from the ASAs. Looking for some guidance, have tried a few things so far, this is the latest config.

Site A, version 8.4(1)11
object network obj-192.168.1.0-cerp
 subnet 192.168.1.0 255.255.255.0
object network obj-berp
 host 10.3.5.18
nat (inside,outside) source static obj-192.168.1.0-cerp obj-192.168.1.0-cerp   destination static obj-berp obj-berp

Site B, version 8.4(4)1
object network obj-cerp
 host 192.168.1.18
object network obj-berp
 host 192.168.20.18
object network obj-aerp
 host 10.3.5.18
nat (inside,outside) source static obj-aerp obj-berp destination static obj-cerp obj-cerp
0
Comment
Question by:bfg01
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
mat1458 earned 250 total points
ID: 38853826
I'd do it with source and destination NAT on your side. Talk to the partner company, find a 192.168.x.0/24 network they don't use and nat all your source IP addresses from site A into this network. And for the destination ERP take another 192.168.x.x (like you do the NAT with 10.3.5.18 and 192.168.20.18) and let people use this IP address for the ERP system. Favorably you enter this address into DNS and let people use the name of the system. That adds flexibility for future changes.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38854549
just to add to mat1458's answer,

the cryptomap has to cover the NATted address/subnet rather than the original address.
the cryptomaps on both of the ASAs and the ERP suppliers firewall will all have to be adjusted.
0
 

Author Closing Comment

by:bfg01
ID: 38906651
Thank you for the input, mat1458 and ArneLovius. The suggestions are good ones. Unfortunately the ERP supplier is unwilling to make changes at this time, and after many hours we've been unable to get this to work the way we had hoped.

We've worked around it by setting up a remote desktop server at site B for now.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906831
You could do it with two layers of NAT, it would be messy, but not impossible...
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ping in Fortigate 2 41
How to obtain the firewall config for Cisco ASA Firewall- 5512-X 5 28
auto connect vpn 17 59
DHCP behind catalyst 3750 POE-48 2 20
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question