site-to-site problems.

220 pts.
Tags:
ASA
Client
LAN
Network
Network management
VPN
WAN
I've recently had a need to connect 2 networks, but both networks have the exact same IP scheme. We need one computer one on one side to connect to the server at the remote site, but that server has the same IP as the data base server from the computer's side. How will I be able to connect a site-to-site Wan or will I need to setup vpn software on the computer, make a route through the ASA to NAT the privet IP into a public IP and use the VPN software?? I've always heard that the software will not work on the inside of an ASA, but I maybe wrong. I thought I would seek help before diving head first and crashing networks =D

Answer Wiki

Thanks. We'll let you know when a new response is added.

Don’t worry, this is a common problem when connecting two organisations together, or two networks that have been configured in isolation.

On the WAN routers you can NAT the IP addresses of the remote site, so that site A thinks the other site (Site B) has a different IP address schema, and Site B thinks that Site A has a different IP address schema. This can be done on a network basis, so you don’t need to know all the individual host addresses. If it is just one host one one site accessing one server on the other, then it is even easier.

You don’t need to use VPN connections or anything like that. By the way, they will work on the inside, it is not a common use, but it does work with the correct config.

If you are using directory services, then you may need to play with these to get the correct addresses, but if services are accessed by IP address, then you just need the NAT.

The obvious solution is to re-address one of the sites, but I guess that is politically difficult !

If you need more help in actually achieving this, then post more here, but you may find it better to hire a local consultant who can do the work for you, and will have better visibility of the entire networks.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Madpawn
    Thanks for the quick post! i would love to hire someone, but I'm it lol. The only reason I dont re-scheme one side is due to both sides have multiple site-to-site VPN's and there are alot of dependencies per VPN on the privet IP scheme. The only major equipment to configure is an ASA 5505 and an ASA 5510, that's all I've got to work with. I'd NAT the Server from SITE B to an external IP, but we've sadly ran out of them... I'm not looking forward to reconfiguring 6 other remote sites just to add more external IP's. My boss mentioned that if I setup one of the privet interfaces to have 2 internal IP's (have the current 192.168.X.X scheme and put the other as a 10.X.X.X scheme) this would work, but I've never done that... I guess I'm looking for the best route to get these networks connected. All we need is to have 2 computers from SITE A communicate and work with SITE B's server. once again, SITE B's server has the same IP as SITE B's DATABASE server.
    220 pointsBadges:
    report
  • BlankReg
    I know the situation, I have been there many times :-) The buck stops here. If the ASA is terminating the connection between the sites, that is fine. I assume that at each end this link is connected to the interface called DMZ You don't need external IP addresses, just make some up for this purpose. If it is the ASA, then I think you only need the following lines to nat So the new IP subnet for site A is 192.168.99.0/24 and the new IP subnet for site B is 192.168.100.0/24 (if you already use these, then choose some other numbers - it really doesn't matter provided they are unique. On Site A access-list Source-Addr-NAT extended permit ip any New-IP-of-Site-B-Server global (DMZ) 1 {new-IP-range-start}-{new-ip-range-finish} netmask 255.255.255.0 nat (inside) 1 access-list Source-Addr-NAT route 192.168.100.0 255.255.255.0 {IP of site B ASA DMZ} The first three lines nat the address of the source, the PCs, to something else. This should be some addresses that are not used anywhere on the network. The last line routes this to the Site B ASA. On Site B static (inside,DMZ) {New-Address} {real-address-of-Site-B-Server} netmask 255.255.255.255 route 192.168.99.0 255.255.255.0 {IP of site A ASA DMZ} The first line nats the address of the Site-B server to something else which needs to be in the 192.168.100.0/24 range. The other line routes the source natted traffic back to site A. I hope that is OK, and you can follow my explaination ? If it is not clear I will try to explain it again if you can identify the bit that is not clear (probably all of it !!). It might help if you can sketch a quick diagram, and also say how the sites will be connected together, if it is a VPN, that changes the commands slightly (use outside instead of DMZ, and the VPN config will use the new NAT address ranges, rather than have route commands).
    12,325 pointsBadges:
    report
  • Madpawn
    thx for the help BlankReg, but see the privet IP scheme's are exactly the same... for this to ever work throught the ASA's I'm going to haft to change 1 IP scheme arn't I? and just a note, I've not even began setting this up yet. I'm just looking for the best route to do this so 1 or both networks does not crash and burn lol.
    220 pointsBadges:
    report
  • Madpawn
    both site A and site B are using the privet 192.168.0.X/24 scheme
    220 pointsBadges:
    report
  • BlankReg
    The whole point of the nat is that each network thinks the other has a different IP address range. The ASA, will translate this so each side only 'sees' the nat address and not the 'real' address. First you do need to decide how the two networks will connect together, leased line or VPN are the likely options. Then use the config I posted earlier, to translate the source and destination addresses, and then there is no clash. It does work. I do this all the time on the network I am responsible for, we connect to about 20 different customer networks to provide remote support, and some have the same addresses, so we have to do this to make all of them accessible.
    12,325 pointsBadges:
    report
  • Madpawn
    will doing this have an effect on how all the local machines see each other on both ends?
    220 pointsBadges:
    report
  • BlankReg
    The machines on each LAN will communicate locally exactly as they always have done. The configuration is only relevent to traffic passing between the two sites.
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following