Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

setting up a VPN tunnel with overlapping private IP addresses on Cisco ASA

0 views
Skip to first unread message

Mike Rahl

unread,
Jan 10, 2007, 3:38:33 PM1/10/07
to
Hi, everyone

I was wondering if you guys could give me a hand with something. I
have a client who needs to set up a secure VPN tunnel between his ASA
5520 and a PIX 515 for another company in order to give 2 specific
computers on each side access to each other.

The problem is, on each side, the IP addresses are the exact same.
Example: 1 computer on each side has the IP address 10.10.10.1/16, and
the other computer on each side has 10.10.10.2/16, thus causing an
overlap.

I want to be able to set up a VPN tunnel on each side to give each
machine access to the other. I cannot install a router behind either
firewall (as the client doesn't have a spare).

I had thought of NATting the client's private range addresses of
10.10.10.1 and .2 to a single public address (which the client is able
to supply me with), then establish a VPN tunnel on each side only
publishing the public IP address through the tunnel. On each side,
rules would be set up so that any queries to that specific public
address would be directed to the appropriate private IP address. Each
machine would only send queries to the public IP address. The only
problem is, I'm not exactly sure how to configure it.

Does anyone have an idea how to configure this?

Thanks very much!

response3

unread,
Jan 11, 2007, 3:08:45 PM1/11/07
to
Do it exactly as you would using private IP's, but don't include a NAT
0 statement, and use public IP's in your interesting traffic
statements. Here's a sample of what you need (Not sure about the ASA
b/c it runs PIX OS 7.x)


access-list VPN_ACL permit ip host <local NAT'd IP> host <remote NAT'd
IP>

! This static may or may not be needed. If not, then the workstation
! will use the NAT pool or PAT as defined, and the remote VPN box
! will need to know this pool in it's interesting traffic ACL.

static (inside,outside) <Desired NAT'd Public IP> <LAN IP> netmask
255.255.255.255 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map vpn_map 80 ipsec-isakmp
crypto map vpn_map 80 match address VPN_ACL
crypto map vpn_map 80 set peer 1.1.1.1
crypto map vpn_map 80 set transform-set ESP-3DES-SHA
crypto map vpn_map interface outside

isakmp enable outside

isakmp key <xxxxxxxxx> address 1.1.1.1 netmask 255.255.255.255 no-xauth
no-config-mode

isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

Hope that helps.

-Brian

0 new messages