Cisco ASA - IPSec to multiple peers all with the same private subnet

ccfcfc
ccfcfc used Ask the Experts™
on
I have a requirement to connect a central ASA 55xx to multiple remote sites over IPSec tunnels.

Each remote site has the same private IP subnet.

All of the documentation that I can find on VPN address overlap assumes that the local and remote peers have the same subnet, rather than multiple remote peers having the same subnet.

Can I configure the local ASA to support this ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you able to modify or influence the configuration of the endpoints?  The easiest way to accomplish this is to NAT the connections at the remote endpoints.  NAT takes place before crypto, so it's possible to NAT and then send the NAT'd traffic over the VPN.

Unfortunately, I can't think of a way to do source NAT'ing at the hub, and be able to differentiate the traffic.

Commented:
If all the remote networks are te same you can nat the remote network to a unique network inside youre ASA. else the ASA is not able to route the traffic back to the correct tunnel interface.

use this cisco document to setup. youre configurations.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
I think that's the exact document that ccfcfc was talking about.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Benjamin - as asavener said, that's the sample config that you always find when looking at dealing with overlapping networks. It's always assumed that the overlap is between the local and remote peers rather than being between multiple remote peers.

Thanks.
What needs to happen is to adopt 1/2 of that article for each remote site, and NAT each site to a different subnet.  Then you configure a VPN to each of the NAT'd subnets.

Otherwise, you need to place your own router at each of the sites, behind their firewall.  The best approach for this would be GRE tunnels encrypted using IPSec.  The GRE tunnels each have their own interface, where you can apply NAT rules.  Then the remote sites add a route so that the traffic for your site gets routed to the VPN router.

I think it would also be possible to have routers at your site, each connecting to the remote sites.  You'd need to do source NAT'ing to make each site look like a different subnet.  Source NAT'ing is perfectly valid, but I've seen it used in the field much less often.  Another possible downside is that each VPN router would require a different public IP address, which you may not already have.

Author

Commented:
As an option, would Twice NAT help in this scenario or does Twice NAT have the same problem in that it still can't differentiate traffic between each VPN tunnel as they will all still have the same source and destination subnets ?

We have ASA 8.2 at the moment so don't have this option right now and it's therefore not a configuration that I have used, so I'm not familiar with how it works. If it would resolve this issue then it would help me to push for an OS upgrade.
I don't think that will help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial