Cisco ASA 5500 - How can I VPN to a site that has overlapping subnets with my Cisco ASA's local LAN?
Posted on 2014-01-08
I have a Cisco ASA 5505 running 8.2.5 firmware. I have to VPN with a subnet that has the same IP range as my site, but I need to be able to be the initiator as WELL as the responder. I'm not sure what the best way to do this is?
My site: 10.0.1.0/24
Remote site: 10.0.1.0/24
My initial thought was to Policy-Nat both sides with a NAT OVERLOAD, which would work fine, but I need to be able to talk back to (2) specific hosts on that LAN, and that LAN needs to be able to talk back to (2) specific hosts on MY LAN.
MY LAN: 10.0.1.50, 10.0.1.51 needs to talk to the remote sites IP's: 10.0.1.100, 10,0,1,101.
My thought was:
NAT my site as: 172.16.10.0/24
NAT remote site to me as: 192.168.10.0/24
on my side:
host 1 - 172.16.10.50
host 2 - 172.16.10.51
on remote site:
host 1 - 192.168.10.100
host 2 - 192.168.10.101
interesting traffic acl: 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0
Normally, I would also include a NAT (inside) 0 statement that matches the interesting traffic ACL so that it does not NAT, but in this case I DO want these hosts to 1-to-1 NAT as 172.16.10.50,51 to inside 10.0.1.50,51....so do I skip the NAT (INSIDE) 0?
Also, does this get complicated if those hosts have any static (inside,outside) relationships with the OUTSIDE interface? Say, one of them is serving a web server or email server? I know how to do a P-NAT to send these hosts out as the specific IP's that I want them to send out as:
access-list PNAT-1 permit ip host 10.0.1.50 192.168.10.0 255.255.255.0
access-list PNAT-2 permit ip host 10.0.1.51 192.168.10.0 255.255.255.0
global (outside) 10 172.16.10.50
global (outside) 11 172.16.10.51
nat (inside) 10 access-list PNAT-1
nat (inside) 11 access-list PNAT-2
But how can I get 172.16.10.50,51 to accept inbound traffic on all ports and pass it to inside host 10.0.1.50,51?
Once I know how to set site 1 up, the second site is just a reflection of that...but I keep getting stuck on the NAT INBOUND (static inside, outside). The VPN comes up, but I can't get the hosts to talk.