Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec pfSense to ASA 5505: Overlapping Subnets

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abeauchamp
      last edited by

      Good morning,

      I am attempting to setup a pfSense box between our main office and a few branch offices that we have begun providing services for.  There are about 12 sites total and of the 12 sites 50% of them are using the same subnet as us 192.168.111.0/24.

      Is it possible to setup a L2L VPN between pfSense and the ASA at each of these offices?  I am looking to be able to give the subnet behind the pfSense box access to just 1 server in each of the branch offices.  With 2.1 is it possible to set up something like this or am I wasting my time?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        In 2.1, there is an option to NAT the local network on the phase two. I'll be trying it out in a week or two when I replace a 5510 with clustered pfSense boxes. You can also NAT on IPSec on the ASA's if you need to.

        1 Reply Last reply Reply Quote 0
        • A
          abeauchamp
          last edited by

          So it is theoretically possible to connect our local subnet (192.168.111.0/24) once nat'd to (10.10.10.0/24) to a remote single host (192.168.111.205) that is nat'd to (10.10.100.205).

          Thank you.

          1 Reply Last reply Reply Quote 0
          • J
            jonallport
            last edited by

            For the sake of your sanity (speaking from bitter experience) change the remote subnets.

            I spent years using NAT to workaround just this issue, and with sites daisy-chained together over private circuits I'd got NAT(NAT(NAT))) going on in some cases!  It took me about a day to completely renumber each LAN (about 65-70 PCs each + servers, switches, printers, router(s), etc) - I wish I'd done it years ago!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.