Tuesday, 27 October 2009

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:
at

5 comments:

  1. Tom20 November 2009 at 23:31

    That looks like a tough scenario. What is the solution if you don't mind me asking?

    I think if the VPN is done on the router, which is my understanding of the diagram and description, then I think there is a way to setup a NAT to translate the other networks address as a different address. It's been quite awhile since I've read on that though.

    ReplyDelete
  2. Roggy21 November 2009 at 09:21

    Of course I dont mind!
    You pretty much have it, you create 2 virtual subnets that have a 1 to 1 nat mapping for the hosts.
    @site1:
    192.168.1.100 -> 192.168.101.100
    @site2:
    192.168.1.100 -> 192.168.102.100

    Therefore users connect to the translated address.

    The solution is here:
    http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html

    Hope that helps :)

    ReplyDelete
  3. Mary Shane6 July 2010 at 06:34

    I have gotten the IAS setup and when I test the authentication it is successful but when I tried to actually use it to authenticate a VPN session it doesn't even send a request to the IAS. Any ideas?

    VPN

    ReplyDelete
  4. Mary Shane6 July 2010 at 06:34

    This comment has been removed by the author.

    ReplyDelete
  5. Roggy7 July 2010 at 09:06

    Hi Mary,

    Check your radius (AAA) config on the PIX/ASA box.
    This might help you a little:
    http://roggyblog.blogspot.com/2010/03/wired-8021x-port-authentication-with.html

    ReplyDelete