Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Need to create a VPN to a Fake Network

Posted on 2013-06-22
5
668 Views
Last Modified: 2013-06-25
I have a Cisco ASA 5520 and I need to estabilish a VPN to a 3rd party.  Our subnets overlap, so I need to have the VPN come into a fake network that I will NAT all the other networks through to get to them.
Insite network:192.168.1.0/24
Remote network:192.168.10.0/24
So I need to creat a fake network on my side, ie 192.168.50.0/24 that the VPN will list in the tunnel.  Then I need to NAT all my internal traffic through to that fake network, so it will go over the VPN.   How do I set that up?
0
Comment
Question by:digital0g1c
  • 2
  • 2
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39268418
Why aren't you just using the public IPs through the tunnel?

That way, your inside IPs NAT first and then get encrypted through the VPN.
0
 
LVL 1

Author Comment

by:digital0g1c
ID: 39268428
how would you make that work?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39268438
Two steps:

1) don't create a NAT exemption between the inside networks.

2) specify your public subnet to their private subnet (the encryption domain) in the VPN peer access-list.  let your peer know to use your public IPs at their end since the encryption domains need to be an inverse match.
0
 
LVL 1

Author Comment

by:digital0g1c
ID: 39268448
That makes perfect sense.  Tunnel vision!  no pun intended...   Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39274820
btw, you could use the internal IPs and do NAT exemption as well, but it requires that you tell the other side to use a fake network as well.  It's considered a policy NAT or twice NAT type of configuration.  It's ugly but it works and is sadly more common than you might think for the exact problem you're facing.

Cisco Doc Example:  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 3750G swithces stack question 3 26
Cisco Trunk question 4 30
ISP has issued 5 static IP addresses 4 27
Sonicpoint wifi and guest vland  on 1 cisco switch 5 25
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question