Site to Site VPN with NAT and Identical network Question

I need some help. I am having trouble wrapping my head around a firewall nat issue, in terms of how to accomplish a setup between my Production site and a DR Site. Both have the same internal subnet of 192.168.101.0/24.  Here is my issue:

I have a server with an address of 192.168.101.222 at my DR Site. Nothing will ever use that address in either Production site or DR Site other than that server, this is the only difference between networks. I need the ability to do a VPN to that one server. For instance if a user in my production site needs to go to that 192.168.101.222 ip I need it to go across the VPN to my DR site and access that server.
I know I need to NAT that IP to another IP and I get the concept but when I start mapping it out I'm confusing myself or whatever. I need help on this logic. There is a Cisco ASA at both locations
Brian E.IT DirectorAsked:
Who is Participating?
 
ITguy565Commented:
maybe this will be a better approach for you :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Introduction
This document describes the steps used to translate (NAT) the VPN traffic that travels over a LAN-to-LAN (L2L) IPsec tunnel between two security appliances and also PAT the Internet traffic. Each security appliance has a private, protected network behind it. In this example two Cisco Adaptive Security Appliances (ASAs) with identical and overlapping internal networks are connected over the VPN tunnel. In a normal scenario, communication across the VPN never happens because the ping packets never leave the local subnet since the user pings the IP address of the same subnet. For these two private internal networks to communicate with each other, Policy NAT is used on both ASAs for translation of the local subnet so that the communication happens as expected.
0
 
ITguy565Commented:
There is only one way I can think of to accomplish this. Create a VPN to the DR location and then create a VLAN with the address of the subnet in the DR zone. You can then use firewall policies to block the original IP on the original zone and enable a static route to redundant server.

For instance : 192.168.101.222 can exist in two locations as long as both are not accessible at the same time.
0
 
Brian E.IT DirectorAuthor Commented:
can I create a VPN with out nat if both sides have same subnet? I've never done this way before. If I am understanding you correctly that is.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
ITguy565Commented:
No, you must have a different subnet in order to create a VPN.
0
 
ITguy565Commented:
There is only one way I can think of to accomplish this. Create a VPN to the DR location and then create a VLAN with the address of the subnet in the DR zone. You can then use firewall policies to block the original IP on the original zone and enable a static route to redundant server.

For instance : 192.168.101.222 can exist in two locations as long as both are not accessible at the same time.

Taking it a bit further, I don't know your address objects but

C-LAN 192.168.101.X/24
DR-LAN 10.10.X.X/24

VPN between C-LAN --> DR-LAN

On DR-LAN
create VLAN 192.168.101.X/24

Firewall Policy Blocking all access to the VLAN 192.168.101.X/24
Allow just the IP you Need

Firewall C-LAN server IP
Create a static route from C-LAN to VLAN (server IP)
Create static route from VLAN to C-LAN (server IP)
0
 
ITguy565Commented:
Any questions or confusion on what I presented above?
0
 
Brian E.IT DirectorAuthor Commented:
the networks on both sides are the 192.168.101.0/24, this is where I am struggling how to put my NATs in.. So I am still a little confused

Sorry I am ok at VPN's just not when it comes to this.
0
 
ITguy565Commented:
I don' know if this is the most efficient way to do this, but you could add a secondary subnet to the cisco at the DR site and then VPN to that subnet and then follow the information listed above.
0
 
Brian E.IT DirectorAuthor Commented:
could I NAT on my Production side the entire 192.168.101.0/24 sub behind an external IP? or maybe vise versa or on both side.. I guess where I get caught up is I am doing both sides of the tunnel and I thought it would be easier, but for some reason it is so much harder for me. I'm sure I am making it more complicated than it needs to be.
0
 
Brian E.IT DirectorAuthor Commented:
what about this...

Production side
Nat 192.168.101.222 --> Open External (1.1.1.1)

DR side

Nat  192.168.101.222 --> Open External (1.1.1.2)

then for tunnel

Production side
 Peer  Addr --> Local Network 1.1.1.1 --> Remote Network 1.1.1.2

DR Side

Peer Addr --> Local Netowrk 1.1.1.2 --> Remote Network 1.1.1.1



I know that is super simplified but....
0
 
ITguy565Commented:
That should work as well.. Review the document I just posted, it provides configuration examples for exactly this scenario.
0
 
Brian E.IT DirectorAuthor Commented:
ok I'll take a look at that article.. Thanks
0
 
Brian E.IT DirectorAuthor Commented:
ok I have the VPN established. I used external IP addresses to accomplish this. There is still an underlying issue I can't pinpoint and I don't know if its the Firepower that is messing with me or if I am missing something.

My issue is delay in connecting to server. This happens whether or not I am connecting via anyconnect or site to site. If I do a telnet or HTTP to the server on that end there is a lond delay before a login is presented. Once logged in your ok. The other thing is I cannot FTP to the server but like I stated Telnet and HTTP works. If I telnet to the server and get logged in while on the server I can issue a "FTP localhost" and it presents me with a login so I know the FTP service is up and running.

Logs on either side doesn't give me any drops, errors or otherwise ..

6      Apr 18 2018      07:31:52      302013      192.168.10.1      54992      192.168.101.222      21      Built inbound TCP connection 79674 for outside:192.168.10.1/54992 (192.168.10.1/54992)(LOCAL\User to inside:192.168.101.222/21 (192.168.101.222/21)

kind of still confused ...
0
 
Brian E.IT DirectorAuthor Commented:
ok I believe all is working.. Thank you ITGuy565 for all your help..
1
 
ITguy565Commented:
Awesome! good to hear Brian, what was the delay you were experiencing and how did you resolve it?
0
 
Brian E.IT DirectorAuthor Commented:
There is still a delay but I think its network related and not connection related, if that makes sense. I was able to get an ftp prompt to the server by upping the timeout of the client, But really this is a DR site so I'd rather have a 30 to 45 second delay on login being presented than nothing at all, and all seriousness I would throttle the bandwidth at that point anyways which would help that.

looking at the logs on both sides, there isn't anything being logged. I may at some point put a sniffer on this side of the tunnel to see if its reporting anything odd but for now I'm calling this done..
0
 
ITguy565Commented:
Sounds good.. If you decide to troubleshoot the delay and need assistance with it feel free to reach back out to us!!
1
 
ITguy565Commented:
When you get a moment, please close out the question ..

Thanks,
0
 
Brian E.IT DirectorAuthor Commented:
Thank you for your help.. Much, much appreciated!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.