Advanced VPN Solution Help (ASA 5500)

Let's build this one up.

I have an ASA with an internet connection (Public IP). I want to establish a L2L VPN with a remote site. The inside network of the ASA is 10.1.1.0/24, and the remote site internal IP scheme is

10.2.2.0/24. With this setup host 10.1.1.10/24 can reach host 10.2.2.10/24. Now, I establish a second L2L with a remote site of internal IP 10.3.3.0/24. Still no problems reaching any one right?

Now let's say a thrid L2L is established, and the internal IP is

10.1.0.0/16. And I need to talk from the inside of the ASA to host 10.1.1.20/16. This will not work correct? Because of the overlapping IPs? Or will it? What if the third network was also a /24, any difference?

I have read (never used) that with a router you can do this with VRFs, so maybe that would be a solution?

Any input is appreciated. Thank you.

Anthony

Reply to
Anthony
Loading thread data ...

You can get the networks to communicate using address translation. Instead of using nat 0 access-list naming the remote network,

static (inside,outside) 10.3.1.0 10.1.1.0 netmask 255.255.255.0 dns static (outside,inside) 10.4.0.0 10.1.0.0 netmask 255.255.0.0 dns

and have the crypto map match address access-list say

access-list SomeName 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0

If I've got that right, then when your inside machines address a packet to 10.4.x.y it will be rewritten to be addressed to 10.1.x.y on its way out, and at the same time, your inside

10.1.1.z addresses in the source fields will be rewritten to be 10.3.1.z addresses. The other end would not need to do any address translation, but it would need to know that your machines will show up as 10.3.1.z machines. The other end will not see the 10.4.x.y addresses at all in this setup.

When the other end replies to the 10.3.1.z addresses and those packets come back through the VPN, the 10.3.1.z destination addresses on the packets will be rewritten as 10.1.1.z destinations, and the 10.1.x.y source addresses in the packets will be rewritten as 10.4.x.y sources. Full symmetry.

With the 'dns' keyword in place, any DNS queries that run through the link should get automatically adjusted. But if you happen to be conversing with the other end and they talk about a particular host IP that they don't have ad DNS record set up for, then you need to substitute the 4 in as the second octet when you go to ping (or whatever) the remote host.

I don't know if the situation improved after PIX 6, but the situation that this would *not* work in, is if you are using NETBIOS (udp 137 and kin) to communicate between the sites. PIX 6 does not translate IPs in the data portion of NETBIOS packets, so the internal IPs "leak", especially if your local site is talking to PDCs on the remote site. MS Exchange 2000 and before are particularily prone to wanting to use NETBIOS, if you are using NT Authentication and haven't switched over to LDAP. It is amazing how many different ways MS found to transmit your internal IP address and share it with other machines :( :(

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.