[c-nsp] cisco-nsp Digest, Vol 105, Issue 41

Christopher J. Wargaski wargo1 at gmail.com
Sat Aug 13 00:02:09 EDT 2011


Hey Brent--

   I used to manage ASAs for several customers and ran into this frequently
when they had IPsec LAN to LAN tunnels to their partners, software
developers and the like. I resolved this problem by translating the
destination subnet on my side of the tunnel. Just used another nat statement
for the host or subnet and did not have nat0 entries.

   Make sense?

cjw


Date: Fri, 12 Aug 2011 12:53:35 -0700
> From: Brent Roberts <brentrob at wirezsound.com>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] best way to get around IPSEC subnet Conflicts.
> Message-ID: <011801cc5929$8f3f18f0$adbd4ad0$@wirezsound.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I am looking for the best way to get around IP conflicts (On the Far Side)
> in fully redundant Hardware solution. I am working in a large Scale Hosted
> application environment and every 5th or so customer has the same RFC1918
> Address that every other small shop has. I have a Pair of ASA 5520's
> (SEC-K9
> 8.2(2) in A/S) and it seems that I am either missing something or it may
> not
> be possible due to IPSEC priority. I typically use the SET-Reverse Router
> and redistribute static via OSPF to the L3 Core.
>
>
>
> I was thinking about moving to a 6509 with redundant sup720's and using
> IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this
> limitation. Any feedback on this idea. Negative/Positives of this setup? I
> am only looking to move about 100 meg aggregate of IPSec Traffic.
>
>
>
> Thoughts welcome on and off list.
>
>


More information about the cisco-nsp mailing list