Issue with VPN with overlapping subnets and NAT to forward to another FW

fluffy998 — Wed, 04 Dec 2019 16:36:26 GMT

We have a VPN setup to another ASA Firewall, however their are overlapping subnets and the remote VPN is now sending all traffic to 10.150.249.1/30. I don't have this to assigned to any physical interfaces on the local ASA and need to forward traffic to a PFSense appliance with an IP of 172.16.10.2. I have tried applying static NAT on the object we use for the VPN but it's not working and I am not seeing any traffic appear on the PFsense. Any help appreciated.

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

balaji.bandi — Wed, 04 Dec 2019 17:12:37 GMT

here is a good example guide how you can fix the issue (this is ASA to ASA this can be same as ASA and pfsense).

or post complete config to look.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

fluffy998 — Wed, 04 Dec 2019 22:41:39 GMT

Thanks for the link, I had a try with that but still no luck. Please see below diagram.

My understanding is the traffic from 10.150.249.176/30 needs to forward 172.20.1.2. The 10.150.249.176 subnet is not attached to any physical interfaces but is configured as the encryption domain/local subnet on the VPN. It looks like they have created a NAT rule to forward traffic from 10.150.249.176/30 to 172.20.1.2 but there is no traffic appearing on 172.20.1.2.

The whole reason for this is the partner the other side of the VPN has a 172.20.x.x subnet somewhere.

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

balaji.bandi — Thu, 05 Dec 2019 08:36:47 GMT

May be i missed some bit here, where is the Overlap IP range here, as per diagram i have not seen anything like that?

can you post the configuration to have look along with show crypto ipsec sa output.

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

fluffy998 — Thu, 05 Dec 2019 09:06:36 GMT

The 172.20.1.x networks appears on both sides of the VPN. As a result they are now sending all traffic to 10.150.249.176/30 and we would like to forward that to a PFsense which is internal on 172.20.1.2. I hope that makes sense.

The output from the crypto command is:

interface: Outside
Crypto map tag: Outside_map0, seq num: 1, local addr: x.x.x.x

access-list Outside_cryptomap_1 extended permit ip 10.100.150.0 255.255.255.0 192.168.42.0 255.255.255.0
local ident (addr/mask/prot/port): (10.100.150.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.42.0/255.255.255.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.x/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C47BF518
current inbound spi : 622C22B6

inbound esp sas:
spi: 0x622C22B6 (1647059638)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (4055040/27893)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC47BF518 (3296458008)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3916800/27893)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Outside_map0, seq num: 1, local addr: x.x.x.x

access-list Outside_cryptomap_1 extended permit ip 10.150.249.176 255.255.255.252 192.168.42.0 255.255.255.0
local ident (addr/mask/prot/port): (10.150.249.176/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (192.168.42.0/255.255.255.0/0/0)
current_peer: x.x.x.x

inbound esp sas:
spi: 0xA04CDB13 (2689391379)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (4147200/27893)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC1001080 (3238006912)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3916800/27893)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: Outside_map0, seq num: 1, local addr: x.x.x.x

access-list Outside_cryptomap_1 extended permit ip 172.20.1.0 255.255.255.0 192.168.42.0 255.255.255.0
local ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.42.0/255.255.255.0/0/0)
current_peer: 82.163.243.186

#pkts encaps: 185248, #pkts encrypt: 185225, #pkts digest: 185225
#pkts decaps: 304869, #pkts decrypt: 304869, #pkts verify: 304869
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 185248, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 23, #fragments created: 0
#PMTUs sent: 23, #PMTUs rcvd: 3, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.x/500
path mtu 1444, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C17F9A5E
current inbound spi : 97FE7CA6

inbound esp sas:
spi: 0x97FE7CA6 (2550037670)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (4284335/22421)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC17F9A5E (3246365278)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 43, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3962147/22421)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

fluffy998 — Thu, 05 Dec 2019 09:08:41 GMT

Do you want the whole output from the running config?

Regards

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

balaji.bandi — Thu, 05 Dec 2019 19:52:27 GMT

the out not shows any encryption and decryption?

yes, we would like to see the whole config also just clarify, the VPN between ASA to ASA or ASA to Pssense?

topic Re: Issue with VPN with overlapping subnets and NAT to forward to another FW in Network Security

Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW

Re: Issue with VPN with overlapping subnets and NAT to forward to another FW