Cisco ASA - IPSec to multiple peers all with the same private subnet

I have a requirement to connect a central ASA 55xx to multiple remote sites over IPSec tunnels.

Each remote site has the same private IP subnet.

All of the documentation that I can find on VPN address overlap assumes that the local and remote peers have the same subnet, rather than multiple remote peers having the same subnet.

Can I configure the local ASA to support this ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you able to modify or influence the configuration of the endpoints?  The easiest way to accomplish this is to NAT the connections at the remote endpoints.  NAT takes place before crypto, so it's possible to NAT and then send the NAT'd traffic over the VPN.

Unfortunately, I can't think of a way to do source NAT'ing at the hub, and be able to differentiate the traffic.
Benjamin Van DitmarsSr Network EngineerCommented:
If all the remote networks are te same you can nat the remote network to a unique network inside youre ASA. else the ASA is not able to route the traffic back to the correct tunnel interface.

use this cisco document to setup. youre configurations.
I think that's the exact document that ccfcfc was talking about.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ccfcfcAuthor Commented:
Benjamin - as asavener said, that's the sample config that you always find when looking at dealing with overlapping networks. It's always assumed that the overlap is between the local and remote peers rather than being between multiple remote peers.

What needs to happen is to adopt 1/2 of that article for each remote site, and NAT each site to a different subnet.  Then you configure a VPN to each of the NAT'd subnets.

Otherwise, you need to place your own router at each of the sites, behind their firewall.  The best approach for this would be GRE tunnels encrypted using IPSec.  The GRE tunnels each have their own interface, where you can apply NAT rules.  Then the remote sites add a route so that the traffic for your site gets routed to the VPN router.

I think it would also be possible to have routers at your site, each connecting to the remote sites.  You'd need to do source NAT'ing to make each site look like a different subnet.  Source NAT'ing is perfectly valid, but I've seen it used in the field much less often.  Another possible downside is that each VPN router would require a different public IP address, which you may not already have.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ccfcfcAuthor Commented:
As an option, would Twice NAT help in this scenario or does Twice NAT have the same problem in that it still can't differentiate traffic between each VPN tunnel as they will all still have the same source and destination subnets ?

We have ASA 8.2 at the moment so don't have this option right now and it's therefore not a configuration that I have used, so I'm not familiar with how it works. If it would resolve this issue then it would help me to push for an OS upgrade.
I don't think that will help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.