Roggy: PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

Tuesday, 27 October 2009

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:

Tom said...: That looks like a tough scenario. What is the solution if you don't mind me asking?

I think if the VPN is done on the router, which is my understanding of the diagram and description, then I think there is a way to setup a NAT to translate the other networks address as a different address. It's been quite awhile since I've read on that though.; 20 November 2009 at 23:31
Roggy said...: Of course I dont mind!
You pretty much have it, you create 2 virtual subnets that have a 1 to 1 nat mapping for the hosts.
@site1:
192.168.1.100 -> 192.168.101.100
@site2:
192.168.1.100 -> 192.168.102.100

Therefore users connect to the translated address.

The solution is here:
http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html

Hope that helps :); 21 November 2009 at 09:21
Mary Shane said...: I have gotten the IAS setup and when I test the authentication it is successful but when I tried to actually use it to authenticate a VPN session it doesn't even send a request to the IAS. Any ideas?

VPN; 6 July 2010 at 06:34
Mary Shane said...: This comment has been removed by the author.; 6 July 2010 at 06:34
Roggy said...: Hi Mary,

Check your radius (AAA) config on the PIX/ASA box.
This might help you a little:
http://roggyblog.blogspot.com/2010/03/wired-8021x-port-authentication-with.html; 7 July 2010 at 09:06