IPSec pfSense to ASA 5505: Overlapping Subnets



  • Good morning,

    I am attempting to setup a pfSense box between our main office and a few branch offices that we have begun providing services for.  There are about 12 sites total and of the 12 sites 50% of them are using the same subnet as us 192.168.111.0/24.

    Is it possible to setup a L2L VPN between pfSense and the ASA at each of these offices?  I am looking to be able to give the subnet behind the pfSense box access to just 1 server in each of the branch offices.  With 2.1 is it possible to set up something like this or am I wasting my time?

    Thank you.



  • In 2.1, there is an option to NAT the local network on the phase two. I'll be trying it out in a week or two when I replace a 5510 with clustered pfSense boxes. You can also NAT on IPSec on the ASA's if you need to.



  • So it is theoretically possible to connect our local subnet (192.168.111.0/24) once nat'd to (10.10.10.0/24) to a remote single host (192.168.111.205) that is nat'd to (10.10.100.205).

    Thank you.



  • For the sake of your sanity (speaking from bitter experience) change the remote subnets.

    I spent years using NAT to workaround just this issue, and with sites daisy-chained together over private circuits I'd got NAT(NAT(NAT))) going on in some cases!  It took me about a day to completely renumber each LAN (about 65-70 PCs each + servers, switches, printers, router(s), etc) - I wish I'd done it years ago!


Locked