Site to Site VPN with Nat

[jimmyguns]

Hello,
I have run into a situation where I have two partners that are using the same LAN address. I need to set up a site to site IPSec VPN for both of them and would like to do most of the heavy lifting on my ASA 5540.

I have one tunnel established already using my normal method of adding the following lines to my router
\\ PARTNER A
\\ AAA = Access list number
\\ LLL.LLL.LLL.LLL = partner's local lan network address
\\ PPP.PPP.PPP.PPP = partner's public IP address.

access-list AAA extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
crypto map ACME AAA match address AAA
crypto map ACME AAA set peer PPP.PPP.PPP.PPP
crypto map ACME AAA set transform-set 3sha
crypto map ACME AAA set security-association lifetime seconds 28800
crypto map ACME AAA set security-association lifetime kilobytes 4608000
tunnel-group PPP.PPP.PPP.PPP type ipsec-l2l
tunnel-group PPP.PPP.PPP.PPP ipsec-attributes
pre-shared-key kaker876987JKAS

Partner B is using the same LLL.LLL.LLL.LLL, so how would I go about making sure the traffic is routed to the correct tunnel. Would that occur just by creating an additional crypto map and then matching it to the address in a different access list? Sorry if this is confusing. I'm a little confused myself. Do I need to do any natting on my end to accomplish this goal? I'm not sure if it matters, but traffic will not need to route between the two partners. Thanks for any and all help!

 

[bill001g]

You can only partially fix it since if you need end machine to end machine communication one or the other is going to have to use a different name. For example say you have 10.10.10.10 on both sides. If you told the machine to go to 10.10.10.10 it would think it should talk to itself. The burden of knowing the NAT address will unfortunately have to be on the users to a point.

This is a good cisco link that shows how to do NAT with ipsec. You only have to nat one end.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

 

[jimmyguns]

Perhaps I was a little unclear. I understand that I will need to NAT one of our partners. I am wondering if that can be done on my end as the "hub" for the two spokes with matching networks.

 

[bill001g]

Ah my favorite topic to get a headache from cisco and "nat order or operation".

I know you can do it but I can't find a clean example most involve PAT types of NAT.

First you want to use a network type of nat ie 10.0.0.1 goes to 10.100.0.1 and 10.0.0.2 goes to 10.100.0.2

Now if I remember correctly. You must define the IPSEC interesting traffic going to the remote site you are natting to match the address assuming that nat has already occurred. You must also place a dummy static route in so the ip block you are natting to appears to go out the interface that goes to the customer.................................

The more I think about this maybe this won't work, if you using the same interface to go to both customers. I suspect you are going to have to use some tricky policy routing to make it appear as 2 different interfaces.

I would recommend you post this question on the cisco security forums where you find people that know much more than I. I would recommend you post a small diagram to avoid the same questions I had.