Home > IT Answers > Security > site-to-site problems.
Madpawn
215 pts.
0
Q:
site-to-site problems.
ASA, LAN, VPN, Client, Network, WAN, Network management
I've recently had a need to connect 2 networks, but both networks have the exact same IP scheme. We need one computer one on one side to connect to the server at the remote site, but that server has the same IP as the data base server from the computer's side.

How will I be able to connect a site-to-site Wan or will I need to setup vpn software on the computer, make a route through the ASA to NAT the privet IP into a public IP and use the VPN software??

I've always heard that the software will not work on the inside of an ASA, but I maybe wrong. I thought I would seek help before diving head first and crashing networks =D
ASKED: Jun 23 2009  1:41 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
BlankReg
11270 pts.
0
A:
 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0
  • AddThis Social Bookmark Button
Don't worry, this is a common problem when connecting two organisations together, or two networks that have been configured in isolation.

On the WAN routers you can NAT the IP addresses of the remote site, so that site A thinks the other site (Site B) has a different IP address schema, and Site B thinks that Site A has a different IP address schema. This can be done on a network basis, so you don't need to know all the individual host addresses. If it is just one host one one site accessing one server on the other, then it is even easier.

You don't need to use VPN connections or anything like that. By the way, they will work on the inside, it is not a common use, but it does work with the correct config.

If you are using directory services, then you may need to play with these to get the correct addresses, but if services are accessed by IP address, then you just need the NAT.

The obvious solution is to re-address one of the sites, but I guess that is politically difficult !


If you need more help in actually achieving this, then post more here, but you may find it better to hire a local consultant who can do the work for you, and will have better visibility of the entire networks.
Last Answered: Jun 23 2009  1:58 PM GMT by BlankReg   11270 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Madpawn   215 pts.  |   Jun 23 2009  2:25PM GMT

Thanks for the quick post! i would love to hire someone, but I’m it lol. The only reason I dont re-scheme one side is due to both sides have multiple site-to-site VPN’s and there are alot of dependencies per VPN on the privet IP scheme.

The only major equipment to configure is an ASA 5505 and an ASA 5510, that’s all I’ve got to work with.

I’d NAT the Server from SITE B to an external IP, but we’ve sadly ran out of them… I’m not looking forward to reconfiguring 6 other remote sites just to add more external IP’s.

My boss mentioned that if I setup one of the privet interfaces to have 2 internal IP’s (have the current 192.168.X.X scheme and put the other as a 10.X.X.X scheme) this would work, but I’ve never done that…

I guess I’m looking for the best route to get these networks connected. All we need is to have 2 computers from SITE A communicate and work with SITE B’s server. once again, SITE B’s server has the same IP as SITE B’s DATABASE server.

 

BlankReg   11270 pts.  |   Jun 23 2009  4:23PM GMT

I know the situation, I have been there many times :-) The buck stops here.

If the ASA is terminating the connection between the sites, that is fine. I assume that at each end this link is connected to the interface called DMZ

You don’t need external IP addresses, just make some up for this purpose. If it is the ASA, then I think you only need the following lines to nat

So the new IP subnet for site A is 192.168.99.0/24 and the new IP subnet for site B is 192.168.100.0/24 (if you already use these, then choose some other numbers - it really doesn’t matter provided they are unique.

On Site A

access-list Source-Addr-NAT extended permit ip any New-IP-of-Site-B-Server
global (DMZ) 1 {new-IP-range-start}-{new-ip-range-finish} netmask 255.255.255.0
nat (inside) 1 access-list Source-Addr-NAT

route 192.168.100.0 255.255.255.0 {IP of site B ASA DMZ}

The first three lines nat the address of the source, the PCs, to something else. This should be some addresses that are not used anywhere on the network. The last line routes this to the Site B ASA.

On Site B

static (inside,DMZ) {New-Address} {real-address-of-Site-B-Server} netmask 255.255.255.255

route 192.168.99.0 255.255.255.0 {IP of site A ASA DMZ}

The first line nats the address of the Site-B server to something else which needs to be in the 192.168.100.0/24 range.
The other line routes the source natted traffic back to site A.

I hope that is OK, and you can follow my explaination ? If it is not clear I will try to explain it again if you can identify the bit that is not clear (probably all of it !!).

It might help if you can sketch a quick diagram, and also say how the sites will be connected together, if it is a VPN, that changes the commands slightly (use outside instead of DMZ, and the VPN config will use the new NAT address ranges, rather than have route commands).

 

Madpawn   215 pts.  |   Jun 23 2009  5:14PM GMT

thx for the help BlankReg, but see the privet IP scheme’s are exactly the same… for this to ever work throught the ASA’s I’m going to haft to change 1 IP scheme arn’t I?

and just a note, I’ve not even began setting this up yet. I’m just looking for the best route to do this so 1 or both networks does not crash and burn lol.

 

Madpawn   215 pts.  |   Jun 23 2009  5:37PM GMT

both site A and site B are using the privet 192.168.0.X/24 scheme

 

BlankReg   11270 pts.  |   Jun 23 2009  10:24PM GMT

The whole point of the nat is that each network thinks the other has a different IP address range. The ASA, will translate this so each side only ’sees’ the nat address and not the ‘real’ address.

First you do need to decide how the two networks will connect together, leased line or VPN are the likely options. Then use the config I posted earlier, to translate the source and destination addresses, and then there is no clash.

It does work. I do this all the time on the network I am responsible for, we connect to about 20 different customer networks to provide remote support, and some have the same addresses, so we have to do this to make all of them accessible.

 

Madpawn   215 pts.  |   Jun 25 2009  1:52PM GMT

will doing this have an effect on how all the local machines see each other on both ends?

 

BlankReg   11270 pts.  |   Jun 25 2009  10:31PM GMT

The machines on each LAN will communicate locally exactly as they always have done. The configuration is only relevent to traffic passing between the two sites.

 
0