Tuesday, 27 October 2009

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:

5 comments:

Tom said...

That looks like a tough scenario. What is the solution if you don't mind me asking?

I think if the VPN is done on the router, which is my understanding of the diagram and description, then I think there is a way to setup a NAT to translate the other networks address as a different address. It's been quite awhile since I've read on that though.

Roggy said...

Of course I dont mind!
You pretty much have it, you create 2 virtual subnets that have a 1 to 1 nat mapping for the hosts.
@site1:
192.168.1.100 -> 192.168.101.100
@site2:
192.168.1.100 -> 192.168.102.100

Therefore users connect to the translated address.

The solution is here:
http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html

Hope that helps :)

Mary said...

I have gotten the IAS setup and when I test the authentication it is successful but when I tried to actually use it to authenticate a VPN session it doesn't even send a request to the IAS. Any ideas?

VPN

Mary said...
This comment has been removed by the author.
Roggy said...

Hi Mary,

Check your radius (AAA) config on the PIX/ASA box.
This might help you a little:
http://roggyblog.blogspot.com/2010/03/wired-8021x-port-authentication-with.html