overlapping subnets L2L VPN configuration problems

hmongstrong — Tue, 12 Mar 2019 04:46:12 GMT

I just cannot get it to work. I need devices on siteA to connect to devices on siteB, both with overlapping IP's. Then if I am at siteA and want to ping siteB server at 10.10.10.100, what IP do I ping?

I hope I make sense, because L2L vpn is kicking my butt with these overlapping subnets. Thanks!

siteA:

: Saved
:
ASA Version 8.0(2)
!
------------------
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.5
vlan 5
nameif DOMAIN
security-level 100
ip address 10.50.5.1 255.255.255.0
!
interface Ethernet0/1.99
vlan 99
nameif HP_MGMT
security-level 100
ip address 10.50.99.1 255.255.255.0
!
interface Ethernet0/1.100
vlan 100
nameif WIRED
security-level 100
ip address 10.50.2.1 255.255.255.0
!
interface Ethernet0/1.101
vlan 101
nameif WIRELESS
security-level 100
ip address 10.50.3.1 255.255.255.0
!
interface Ethernet0/1.1005
vlan 1005
nameif Pelco_MGMT
security-level 100
ip address 10.100.5.2 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.1
vlan 1
nameif S2
security-level 100
ip address 10.10.10.1 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 100
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.50.0.1 255.255.255.0
management-only
!
------------------
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list L2LAccessList extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SRC_Translation extended permit ip 10.10.0.0 255.255.0.0 10.30.0.0 255.255.0.0
pager lines 24
------------------
mtu outside 1500
mtu DOMAIN 1500
mtu HP_MGMT 1500
mtu WIRED 1500
mtu WIRELESS 1500
mtu Pelco_MGMT 1500
mtu S2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any HP_MGMT
icmp permit any WIRELESS
icmp permit any S2
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DOMAIN) 1 0.0.0.0 0.0.0.0
nat (WIRED) 1 0.0.0.0 0.0.0.0
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (S2) 1 10.10.0.0 255.255.0.0
static (DOMAIN,outside) tcp interface https 10.50.5.5 https netmask 255.255.255.255
static (WIRELESS,outside) tcp interface 3389 10.50.3.49 3389 netmask 255.255.255.255
static (S2,WIRELESS) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (S2,DOMAIN) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (WIRED,WIRELESS) 10.50.2.0 10.50.2.0 netmask 255.255.255.0
static (HP_MGMT,WIRELESS) 10.50.99.0 10.50.99.0 netmask 255.255.255.0
static (Pelco_MGMT,WIRELESS) 10.100.5.0 10.100.5.0 netmask 255.255.255.0
static (DOMAIN,WIRELESS) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (DOMAIN,S2) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (WIRELESS,DOMAIN) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,Pelco_MGMT) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,S2) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,WIRED) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,HP_MGMT) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (S2,outside) 10.20.0.0 access-list SRC_Translation
static (outside,S2) 10.30.0.0 10.10.0.0 netmask 255.255.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.0.0 255.255.255.0 management
http 10.50.3.0 255.255.255.0 WIRELESS
http redirect outside 443
------------------
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto map MYMAP 10 match address L2LAccessList
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set reverse-route
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 10.50.3.0 255.255.255.0 WIRELESS
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.50.3.0 255.255.255.0 WIRELESS
ssh timeout 5
console timeout 10
management-access WIRELESS
dhcpd dns 10.50.5.3 12.127.17.71
!
dhcpd address 10.50.5.50-10.50.5.254 DOMAIN
dhcpd enable DOMAIN
!
dhcpd address 10.50.2.50-10.50.2.254 WIRED
dhcpd enable WIRED
!
dhcpd address 10.50.3.50-10.50.3.254 WIRELESS
dhcpd enable WIRELESS
!
dhcpd address 10.10.2.50-10.10.2.254 S2
dhcpd enable S2
!
dhcpd address 10.50.0.2-10.50.0.10 management
dhcpd enable management
!
vpn load-balancing
interface lbprivate DOMAIN
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
------------------
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
smtp-server 10.50.5.3
------------------
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

siteB:

: Saved
:
ASA Version 8.0(2)
!

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.2
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.60.5.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.1
vlan 1
nameif S2
security-level 100
ip address 10.10.10.1 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.50.0.1 255.255.255.0
management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list L2LAccessList extended permit ip 10.30.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SRC_Translation extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu S2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (S2,outside) 10.30.0.0 access-list SRC_Translation
static (outside,S2) 10.20.0.0 10.10.0.0 netmask 255.255.0.0
route outside 0.0.0.0 0.0.0.0 x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto map MYMAP 10 match address L2LAccessList
crypto map MYMAP 10 set peer 1.1.1.1
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set reverse-route
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 10.50.0.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.50.3.10 129.250.35.250
!
dhcpd address 10.60.5.50-10.60.5.250 inside
dhcpd enable inside
!
dhcpd address 10.50.0.2-10.50.0.254 management
dhcpd enable management
!
dhcpd address 10.10.3.50-10.10.3.250 S2
dhcpd enable S2
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:57be0559bfc1270fdff4f32743f6b9d7
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

At first glance you config

Marius Gunnerud — Wed, 17 Sep 2014 21:36:01 GMT

At first glance you config looks correct. The problem is that you are NATing the full subnets of each side. Do all PCs on the 10.30 network need to reach all IPs on the 10.10 network?

You will most likely need to configure static destination NAT for each server you are trying to reach at both ends of the VPN tunnel.

Please remember to select a correct answer and rate helpful posts

Most likely just the server

hmongstrong — Thu, 18 Sep 2014 12:41:28 GMT

Most likely just the server on either end should suffice.

siteA should be able to see siteB's internal 10.10.10.100
siteB should see siteA internal 10.10.10.70

Do I change my static statement and access list configs then?

Since the IPs are overlapping

Marius Gunnerud — Fri, 19 Sep 2014 06:48:28 GMT

Since the IPs are overlapping you need to decide on an IP for the two hosts that that do not overlap. And then NAT the local IPs to that new IP. This new IP will also need to be included in the crypto ACL as the destination IP.

So, for example, siteA will use IP 172.16.1.100 to reach 10.10.10.100

and siteB will use IP 172.16.2.70 to reach 10.10.10.70

access-list VPN permit ip 10.10.10.0 255.255.255.0 host 172.16.2.70

nat (S2) 0 access-list VPN

As long as 172.16.2.0/24 is not a configured network at siteA then the default route will take care of routing.

Please remember to select a correct answer and rate helpful posts

topic At first glance you config in Network Security

overlapping subnets L2L VPN configuration problems

At first glance you config

Most likely just the server

Since the IPs are overlapping