07-18-2012 08:42 AM - edited 03-11-2019 04:32 PM
I am using a range of IPs from my inside LAN for my IPSec VPN clients. For example my inside network is 172.16.1.0/24 and I have a pool setup like this: ip local pool vpnpool 172.16.1.200-172.16.1.210 mask 255.255.255.0.
Before the upgrade to 8.4 it was working and now it isn't. Clients can connect and pickup and IP but can't cominuicate with the inside LAN. I think I have to do manual NAT to nonat this range. So I want to try the following:
object network obj-vpnpool
range 172.16.1.200 172.16.1.210
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
However there are two things preventing me from doing this:
1) When I try to create obj-vpnpool I get an error stating that this object overlaps with local pool
2) Even if I create the obj-vpnpool with a non-overlapping range, when in the VPN config I don't have an option for selecting obj-vpnpool.
Any ideas?
Thanks,
Diego
Solved! Go to Solution.
07-18-2012 09:53 AM
sorry, i don't understand, how is configuring a unique subnet causes overlapping? it should be unique, so it shouldn't overlap.
Eg:
ip local pool vpnpool 192.168.1.200-192.168.1.210 mask 255.255.255.0
object network obj-lan
subnet 172.16.1.0 255.255.255.0
object network obj-vpnpool
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-lan obj-lan destination static obj-vpnpool obj-vpnpool
07-19-2012 02:39 AM
object network dhclpvpn-pool
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static dhclpvpn-pool dhclpvpn-pool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements
07-18-2012 09:20 AM
ip pool should be unique and not in the same subnet as the LAN subnet.
Pls make the necessary change on the ip pool to be on a unique subnet and make the changes on the NAT exemption, and it should resolve your issue.
07-18-2012 09:48 AM
I can do that but I don't see how that will help. If I use a unique subnet I will still have the problem of the network object overlapping the vpnpool. If it overlaps then I won't be able to exclude it from NAT. And if I create a new network object I won't be able to add it to the VPN policy. So I would still have both problems.
Besides it was working pre 8.4 upgrade. I don't think this is a routing issue. I believe it is a NAT issue.
07-18-2012 09:53 AM
sorry, i don't understand, how is configuring a unique subnet causes overlapping? it should be unique, so it shouldn't overlap.
Eg:
ip local pool vpnpool 192.168.1.200-192.168.1.210 mask 255.255.255.0
object network obj-lan
subnet 172.16.1.0 255.255.255.0
object network obj-vpnpool
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-lan obj-lan destination static obj-vpnpool obj-vpnpool
07-18-2012 10:31 AM
I think I got the overlap when I tried to create the object using range rather than subnet. Let me try your suggestion and I will let you know.
Thanks,
Diego
07-18-2012 12:08 PM
OK, tried your suggestions but still no joy. I did a packet tracer and it shows that packets going from Inside to VPN are being NATed by the PAT. Here is current config.
ip local pool VPN1 192.168.72.1-192.168.72.254 mask 255.255.255.0
object network VPNSubnet
subnet 192.168.72.0 255.255.255.0
object network InsideSubnet
subnet 10.72.160.0 255.255.255.0
nat (inside,Fiber) source static InsideSubnet InsideSubnet destination static VPNSubnet VPNSubnet no-proxy-arp route-lookup
nat (inside,Fiber) source dynamic any interface
Manual NAT Policies (Section 1)
1 (inside) to (Fiber) source static InsideSubnet InsideSubnet destination static VPNSubnet VPNSubnet no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 9
2 (inside) to (Fiber) source dynamic any interface
translate_hits = 335237, untranslate_hits = 28444
07-18-2012 09:46 PM
Did you "clear xlate" after making the changes?
Also, can you try from the VPN Client itself.
07-19-2012 02:39 AM
object network dhclpvpn-pool
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static dhclpvpn-pool dhclpvpn-pool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements
07-22-2012 06:58 PM
Seems like I got it working. Not sure if it was that I missed the "1" in the Identity NAT command or maybe I needed to do a "clear xlate".
Anyhow, how can I take this a step further. I would like to make sure that no private IP to private IP combination gets NATed. This would mean any combination of source-destination that includes 192.168.0.0/16 or 10.0.0.0/8.
Is there a simple way to do this?
Thanks,
Diego
07-23-2012 10:24 AM
Can you please advise the interface that each subnet is connected to and also the security level of those interfaces.
07-23-2012 12:48 PM
I have about one dozen private networks all behind interface "inside" at security level 100. I plan to have VPN tunnels going out thru two interfaces called "outside1" and "outside2" at security level 0 to several other private networks. In the past I have used an ACL with all the combinations of source and destination using the 192.168.0.0/16 and 10.0.0.0/8 IP ranges. I would like to mimic that with the new NAT architecture so that I don't have to edit objects or ACL when a new private subnet is connected to our VPN WAN.
Thanks,
Diego
07-23-2012 06:45 PM
You can create an object-group and keep on adding the object to the object-group within your NAT configuration.
Eg:
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object-group network local-vpn-group
network-object object obj-10.10.10.0
object-group network remote-vpn-group
network-object object obj-192.168.10.0
nat (inside,outside) static source local-vpn-group local-vpn-group static destination remote-vpn-group remote-vpn-group
say for example you need to add 10.10.20.0/24 for the local subnet, you can just add the following:
object network obj-10.10.20.0
subnet 10.10.20.0 255.255.255.0
object-group network local-vpn-group
network-object object obj-10.10.20.0
Oh BTW, you can't have 2 default routes pointing towards 2 different interfaces. This is not supported on the ASA. If this ASA is just for LAN-to-LAN VPN, you can configure 1 default route towards Outside1 for example, and configure static routes towards Outside2 (just have to add the peer address and remote vpn subnets in the static routes towards Outside2 for example).
Hope that helps.
07-26-2012 08:12 PM
I was thinking something a little more comprehensive. What do you think of something like this:
object network PrivateNet_172_16
subnet 172.16.0.0 255.240.0.0
object network PrivateNet_10
subnet 10.0.0.0 255.0.0.0
object network PrivateNet_192_168
subnet 192.168.0.0 255.255.0.0
object-group network Private_Networks
network-object object PrivateNet_10
network-object object PrivateNet_172_16
network-object object PrivateNet_192_168
nat (inside,outside) source static Private_Networks Private_Networks destination static Private_Networks Private_Networks
Think it would work?
Thanks,
Diego
08-03-2012 01:09 AM
I would stir away from having the same subnet for source and destination. It is better to configure specific subnet for each source and destination.
08-07-2012 05:32 AM
I will be using about a dozen private-net to private-net tunnels initially and then adding more as time goes by. I just wanted to keep the config as clean and clutter free as possible and take care of all the different combinations with as few commands as possible.
Thanks for all your help and advice.
Rgds,
Diego
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide