Cisco Firewall ASA 8.4 L2LVPN address overlap test

I. Overview:

Lan-to-lan IPSEC VPN If both ends of the intranet address overlap, can not access each other, you need to configure NAT, each side of the other as a different network to exchange visits. The router cannot adjust the static NAT and the dynamic Pat priority, resulting in the static NAT can not be on the public network, only with the help of PBR, using two different configuration NAT methods, the PAT on the public network traffic and VPN static NAT traffic separation. ASA8.3 after the twice NAT, can specify the source and purpose, this test ASA8.4 how to use twice NAT to solve the problem of address overlap, reference links: https://supportforums.cisco.com/docs/DOC-13429.

After testing, if PIX8.0 and routers establish l2l IPSec VPN, only through the PIX side of the address overlap problem, then the PIX internal devices are not on the PIX on the public network, mainly because of the same as routers, static NAT priority, and PIX can not configure PBR, The flow of traffic to the loopback port (pix8.0 can not be configured at all loopback port).

Two. Basic ideas:

A. Using NAT prior to IPSec features, configure the ASA8.4 twice NAT, so that both ends of the intranet can exchange visits.

B. Because the target address of the twice NAT is the address of the other's private network, Pat's public network and twice Nat can coexist at the same time.

Three. Test topology:

Four. Basic configuration:

A. Headquarters Server Router:

Interface ethernet0/0

IP address 10.1.1.2 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 10.1.1.1

B. Headquarters ASA842 Firewall:

Interface GigabitEthernet0

Nameif Inside

Security-level 100

IP address 10.1.1.1 255.255.255.0

No shut

Interface GigabitEthernet1

Nameif Outside

Security-level 0

IP address 202.100.1.1 255.255.255.0

No shut

Route Outside 0.0.0.0 0.0.0.0 202.100.1.10