[c-nsp] best way to get around IPSEC subnet Conflicts.

Anton Yurchenko phila at cascopoint.com
Mon Aug 15 18:51:55 EDT 2011


Yeah I am familiar with that problem, never had to deal with so many 
firewall flavors until I worked at that job.

I used to do NAT on my VPN gateway, it was not ASA but a 7300 box, but I 
think it should behave in a similar fashion.
If my memory is not failing me we did static NAT because most of of 
traffic was B2B type of applications. Couple of times did source NAT too 
I believe.

Check out this link, very helpful in understanding what comes after what 
in NAT/ACL/IPsec world, so that you know what to match on:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


On 8/15/2011 9:42 AM, Brent Roberts wrote:
> I have and its working across about 7 sites currently. Trouble is that the
> same people that have 192.168.X.X always have the same dinky Firewalls that
> won't do Source (one-to-one)NAT Across a VPN tunnel. The Setup is heavy
> outbound (on our side) with a lot of ERP Printing to specific Printers.
> Already done the multiple inline networks setup as well.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anton Yurchenko
> Sent: Monday, August 15, 2011 9:12 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] best way to get around IPSEC subnet Conflicts.
>
>
> Have you considered Source NATing remote side networks? It works fine for
> most applications.
>
> On 8/12/2011 12:53 PM, Brent Roberts wrote:
>> I am looking for the best way to get around IP conflicts (On the Far
>> Side) in fully redundant Hardware solution. I am working in a large
>> Scale Hosted application environment and every 5th or so customer has
>> the same RFC1918 Address that every other small shop has. I have a
>> Pair of ASA 5520's (SEC-K9
>> 8.2(2) in A/S) and it seems that I am either missing something or it
>> may not be possible due to IPSEC priority. I typically use the
>> SET-Reverse Router and redistribute static via OSPF to the L3 Core.
>>
>>
>>
>> I was thinking about moving to a 6509 with redundant sup720's and
>> using IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get
>> around this limitation. Any feedback on this idea. Negative/Positives
>> of this setup? I am only looking to move about 100 meg aggregate of IPSec
> Traffic.
>>
>>
>> Thoughts welcome on and off list.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list