Tuesday, 27 October 2009

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:


Tom said...

That looks like a tough scenario. What is the solution if you don't mind me asking?

I think if the VPN is done on the router, which is my understanding of the diagram and description, then I think there is a way to setup a NAT to translate the other networks address as a different address. It's been quite awhile since I've read on that though.

Roggy said...

Of course I dont mind!
You pretty much have it, you create 2 virtual subnets that have a 1 to 1 nat mapping for the hosts.
@site1: ->
@site2: ->

Therefore users connect to the translated address.

The solution is here:

Hope that helps :)

Mary said...

I have gotten the IAS setup and when I test the authentication it is successful but when I tried to actually use it to authenticate a VPN session it doesn't even send a request to the IAS. Any ideas?


Mary said...
This comment has been removed by the author.
Roggy said...

Hi Mary,

Check your radius (AAA) config on the PIX/ASA box.
This might help you a little: