I have an ASA with an internet connection (Public IP). I want to establish a L2L VPN with a remote site. The inside network of the ASA is 10.1.1.0/24, and the remote site internal IP scheme is
10.2.2.0/24. With this setup host 10.1.1.10/24 can reach host
10.2.2.10/24. Now, I establish a second L2L with a remote site of internal IP 10.3.3.0/24. Still no problems reaching any one right?
Now let's say a thrid L2L is established, and the internal IP is
10.1.0.0/16. And I need to talk from the inside of the ASA to host
10.1.1.20/16. This will not work correct? Because of the overlapping IPs? Or will it? What if the third network was also a /24, any difference?
I have read (never used) that with a router you can do this with VRFs, so maybe that would be a solution?
If I've got that right, then when your inside machines address a packet to 10.4.x.y it will be rewritten to be addressed to 10.1.x.y on its way out, and at the same time, your inside
10.1.1.z addresses in the source fields will be rewritten to be 10.3.1.z addresses. The other end would not need to do any address translation, but it would need to know that your machines will show up as 10.3.1.z machines. The other end will not see the 10.4.x.y addresses at all in this setup.
When the other end replies to the 10.3.1.z addresses and those packets come back through the VPN, the 10.3.1.z destination addresses on the packets will be rewritten as 10.1.1.z destinations, and the 10.1.x.y source addresses in the packets will be rewritten as 10.4.x.y sources. Full symmetry.
With the 'dns' keyword in place, any DNS queries that run through the link should get automatically adjusted. But if you happen to be conversing with the other end and they talk about a particular host IP that they don't have ad DNS record set up for, then you need to substitute the 4 in as the second octet when you go to ping (or whatever) the remote host.
I don't know if the situation improved after PIX 6, but the situation that this would *not* work in, is if you are using NETBIOS (udp 137 and kin) to communicate between the sites. PIX 6 does not translate IPs in the data portion of NETBIOS packets, so the internal IPs "leak", especially if your local site is talking to PDCs on the remote site. MS Exchange 2000 and before are particularily prone to wanting to use NETBIOS, if you are using NT Authentication and haven't switched over to LDAP. It is amazing how many different ways MS found to transmit your internal IP address and share it with other machines :( :(