VPN IPSec with ovelapping subnet on ASA and router

Scenario-1 between Cisco routers:

192.168.1.0/24 –R1——R2–192.168.1.0                                          

The NAT configuration on a R1 should be like this:                        

ip nat inside source static network 192.168.1.0 192.168.100.0 /24

ip nat outside source static network 192.168.1.0 192.168.200.0 /24

only on one router.

Interesting traffic on R1 should be like this:     

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255     

Interesting traffic on R2 should be like this:                         

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

Scenario-2 between Cisco ASA:

On ASA; it’s more AMAZING, you can do it using Manual NAT, i like to call it Conditional NAT; as follow:

192.168.1.0/24 –ASA-1——ASA-2–192.168.1.0

On ASA-1:

object network Site-1

 subnet 192.168.1.0 255.255.255.0

object network Site-1-VPN

 subnet 10.1.1.0 255.255.255.0

object network Site-2-VPN

 subnet 10.2.2.0 255.255.255.0

!

nat (inside,outside) source static Site-1 Site-1-VPN destination static Site-2-VPN Site-2-VPN

On ASA-2:

object network Site-2

 subnet 192.168.1.0 255.255.255.0

object network Site-2-VPN

 subnet 10.2.2.0 255.255.255.0

object network Site-1-VPN

 subnet 10.1.1.0 255.255.255.0

!

nat (inside,outside) source static Site-2 Site-2-VPN destination static Site-1-VPN Site-1-VPN

Interesting traffic on ASA-1.

access-list VPN-ACL extended permit ip object Site-1-VPN object Site-2-VPN

Interesting traffic on ASA-2.

access-list VPN-ACL extended permit ip object Site-2-VPN object Site-1-VPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s