Cisco ASA - IPSec to multiple peers all with the same private subnet
I have a requirement to connect a central ASA 55xx to multiple remote sites over IPSec tunnels.
Each remote site has the same private IP subnet.
All of the documentation that I can find on VPN address overlap assumes that the local and remote peers have the same subnet, rather than multiple remote peers having the same subnet.
Can I configure the local ASA to support this ?
Each remote site has the same private IP subnet.
All of the documentation that I can find on VPN address overlap assumes that the local and remote peers have the same subnet, rather than multiple remote peers having the same subnet.
Can I configure the local ASA to support this ?
Last Comment
If all the remote networks are te same you can nat the remote network to a unique network inside youre ASA. else the ASA is not able to route the traffic back to the correct tunnel interface.
use this cisco document to setup. youre configurations.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
use this cisco document to setup. youre configurations.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
I think that's the exact document that ccfcfc was talking about.
ASKER
Benjamin - as asavener said, that's the sample config that you always find when looking at dealing with overlapping networks. It's always assumed that the overlap is between the local and remote peers rather than being between multiple remote peers.
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
As an option, would Twice NAT help in this scenario or does Twice NAT have the same problem in that it still can't differentiate traffic between each VPN tunnel as they will all still have the same source and destination subnets ?
We have ASA 8.2 at the moment so don't have this option right now and it's therefore not a configuration that I have used, so I'm not familiar with how it works. If it would resolve this issue then it would help me to push for an OS upgrade.
We have ASA 8.2 at the moment so don't have this option right now and it's therefore not a configuration that I have used, so I'm not familiar with how it works. If it would resolve this issue then it would help me to push for an OS upgrade.
I don't think that will help.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Unfortunately, I can't think of a way to do source NAT'ing at the hub, and be able to differentiate the traffic.