Site to Site VPN with NAT and Identical network Question
I need some help. I am having trouble wrapping my head around a firewall nat issue, in terms of how to accomplish a setup between my Production site and a DR Site. Both have the same internal subnet of 192.168.101.0/24. Here is my issue:
I have a server with an address of 192.168.101.222 at my DR Site. Nothing will ever use that address in either Production site or DR Site other than that server, this is the only difference between networks. I need the ability to do a VPN to that one server. For instance if a user in my production site needs to go to that 192.168.101.222 ip I need it to go across the VPN to my DR site and access that server.
I know I need to NAT that IP to another IP and I get the concept but when I start mapping it out I'm confusing myself or whatever. I need help on this logic. There is a Cisco ASA at both locations
I have a server with an address of 192.168.101.222 at my DR Site. Nothing will ever use that address in either Production site or DR Site other than that server, this is the only difference between networks. I need the ability to do a VPN to that one server. For instance if a user in my production site needs to go to that 192.168.101.222 ip I need it to go across the VPN to my DR site and access that server.
I know I need to NAT that IP to another IP and I get the concept but when I start mapping it out I'm confusing myself or whatever. I need help on this logic. There is a Cisco ASA at both locations
ASKER
can I create a VPN with out nat if both sides have same subnet? I've never done this way before. If I am understanding you correctly that is.
No, you must have a different subnet in order to create a VPN.
There is only one way I can think of to accomplish this. Create a VPN to the DR location and then create a VLAN with the address of the subnet in the DR zone. You can then use firewall policies to block the original IP on the original zone and enable a static route to redundant server.
For instance : 192.168.101.222 can exist in two locations as long as both are not accessible at the same time.
Taking it a bit further, I don't know your address objects but
C-LAN 192.168.101.X/24
DR-LAN 10.10.X.X/24
VPN between C-LAN --> DR-LAN
On DR-LAN
create VLAN 192.168.101.X/24
Firewall Policy Blocking all access to the VLAN 192.168.101.X/24
Allow just the IP you Need
Firewall C-LAN server IP
Create a static route from C-LAN to VLAN (server IP)
Create static route from VLAN to C-LAN (server IP)
For instance : 192.168.101.222 can exist in two locations as long as both are not accessible at the same time.
Taking it a bit further, I don't know your address objects but
C-LAN 192.168.101.X/24
DR-LAN 10.10.X.X/24
VPN between C-LAN --> DR-LAN
On DR-LAN
create VLAN 192.168.101.X/24
Firewall Policy Blocking all access to the VLAN 192.168.101.X/24
Allow just the IP you Need
Firewall C-LAN server IP
Create a static route from C-LAN to VLAN (server IP)
Create static route from VLAN to C-LAN (server IP)
Any questions or confusion on what I presented above?
ASKER
the networks on both sides are the 192.168.101.0/24, this is where I am struggling how to put my NATs in.. So I am still a little confused
Sorry I am ok at VPN's just not when it comes to this.
Sorry I am ok at VPN's just not when it comes to this.
I don' know if this is the most efficient way to do this, but you could add a secondary subnet to the cisco at the DR site and then VPN to that subnet and then follow the information listed above.
ASKER
could I NAT on my Production side the entire 192.168.101.0/24 sub behind an external IP? or maybe vise versa or on both side.. I guess where I get caught up is I am doing both sides of the tunnel and I thought it would be easier, but for some reason it is so much harder for me. I'm sure I am making it more complicated than it needs to be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That should work as well.. Review the document I just posted, it provides configuration examples for exactly this scenario.
ASKER
ok I'll take a look at that article.. Thanks
ASKER
ok I have the VPN established. I used external IP addresses to accomplish this. There is still an underlying issue I can't pinpoint and I don't know if its the Firepower that is messing with me or if I am missing something.
My issue is delay in connecting to server. This happens whether or not I am connecting via anyconnect or site to site. If I do a telnet or HTTP to the server on that end there is a lond delay before a login is presented. Once logged in your ok. The other thing is I cannot FTP to the server but like I stated Telnet and HTTP works. If I telnet to the server and get logged in while on the server I can issue a "FTP localhost" and it presents me with a login so I know the FTP service is up and running.
Logs on either side doesn't give me any drops, errors or otherwise ..
6 Apr 18 2018 07:31:52 302013 192.168.10.1 54992 192.168.101.222 21 Built inbound TCP connection 79674 for outside:192.168.10.1/54992
kind of still confused ...
My issue is delay in connecting to server. This happens whether or not I am connecting via anyconnect or site to site. If I do a telnet or HTTP to the server on that end there is a lond delay before a login is presented. Once logged in your ok. The other thing is I cannot FTP to the server but like I stated Telnet and HTTP works. If I telnet to the server and get logged in while on the server I can issue a "FTP localhost" and it presents me with a login so I know the FTP service is up and running.
Logs on either side doesn't give me any drops, errors or otherwise ..
6 Apr 18 2018 07:31:52 302013 192.168.10.1 54992 192.168.101.222 21 Built inbound TCP connection 79674 for outside:192.168.10.1/54992
kind of still confused ...
ASKER
ok I believe all is working.. Thank you ITGuy565 for all your help..
Awesome! good to hear Brian, what was the delay you were experiencing and how did you resolve it?
ASKER
There is still a delay but I think its network related and not connection related, if that makes sense. I was able to get an ftp prompt to the server by upping the timeout of the client, But really this is a DR site so I'd rather have a 30 to 45 second delay on login being presented than nothing at all, and all seriousness I would throttle the bandwidth at that point anyways which would help that.
looking at the logs on both sides, there isn't anything being logged. I may at some point put a sniffer on this side of the tunnel to see if its reporting anything odd but for now I'm calling this done..
looking at the logs on both sides, there isn't anything being logged. I may at some point put a sniffer on this side of the tunnel to see if its reporting anything odd but for now I'm calling this done..
Sounds good.. If you decide to troubleshoot the delay and need assistance with it feel free to reach back out to us!!
When you get a moment, please close out the question ..
Thanks,
Thanks,
ASKER
Thank you for your help.. Much, much appreciated!
For instance : 192.168.101.222 can exist in two locations as long as both are not accessible at the same time.