Solved: Integration of overlapping networks

komma.vanaja · ‎10-08-2012

Hi,

i have a requirement of integrating two overlapping networks using ASA.

i have exp on switches and routers but not on security devices liks asa firewall.

one network has 172.16.0.0/24 address and other has 172.16.0.0/16 address range

As per my knowledge we can't assign these subnets to interfaces of asa as they may overlap. So i planned to use a router in between asa and 172.16.0.0/24 network. i configured nat in router and comming to asa i reffered few documents and configured it. but the problem is with traffic flow between asa interfaces. one interface is configured in 172.16.0.0/16 network (inside) and other interface in 192.168.100.100/24 network which connects router (outside 172.16.0.0/24). i am either unable to ping inside interface from outside nor outside from inside. By default inside must be able to access outside network right? but its not happening. From few documents i came to know that we need to allow icmp traffic. i did that with acl but still no go. Pls help me.

Thanku.

Harish Balakrishnan · ‎10-14-2012

Hello Vanaja,

Thanks for the exact requirement.. Well this is pretty straight forward requirement. I assume that the network betweeb your ASA and the router is 192.168.100.0/24

now coming back to you requirement,

If the requirement is only to use few servers in your company, we can do a one to one static NAT.. For example, you have a FTP server 172.16.0.100 in your company and the other company wants to access it from their local subnet 172.16.0.100..

now on your asa you can do the following

object network Real_IP_FTP

host 172.16.0.100

object network Mapped_IP_FTP

host 192.168.100.100

nat (inside,outside) source static Real_IP_FTP Mapped_IP_FTP

interface GigabitEthernet0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.100.1 255.255.255.0

route outside 10.16.0.0 255.255.255.0 192.168.100.2 1

On the router please do the following:

interface FastEthernet0/0

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.100.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ip nat inside source static network 172.16.0.0 10.16.0.0 /24

Now, one PC in other company with an IP of 172.16.0.100 wants to access your ftp server, he can access with 192.168.100.100 and then when he reaches his router, his source IP will change to 10.16.0.100 and go to your ASA, once it reaches your ASA his destination address will be changed from 192.168.100.100 to 172.16.0.100.. and vice versa

Hope it will solve your issue

Please let me know if you need any help

regards

Harish

View solution in original post

Julio Carvajal · ‎10-08-2012

Hello Vanaja,

First. You cannot ping a far-end interface on the ASA.

This means if you want to ping the outside interface you should do it from a host on the outside interface, from an inside host the traffic will be dropped.

Now ICMP to any other host than the ASA itself should work.

Do the following:

fixup protocol icmp.

Let me know how this goes.

Any other question..Sure.. Just remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

komma.vanaja · ‎10-13-2012

Hi thank u for the reply and sorry for my late reply. The topology and configuration is as follows:

ASA:

ASA version 8.4(2)

int g0

nameif outside

security-level 0

ip add 192.168.200.20 255.255.255.0

int g1

nameif inside

security-level 100

ip add 172.16.100.100 255.255.255.0

object network inside

host 172.16.100.10

nat (inside,outside) static insidemapped

object network insidemapped

host 1.1.1.1

access-list acl-inside extended permit icmp any any

access-list acl-outside extended permit icmp any any

access-list acl-inside extended permit tcp any any

access-list acl-outside extended permit tcp any any

access-group acl-inside in interface inside

access-group acl-outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.200.10

Outside router:

int f0/0

ip nat outside

ip add 192.168.200.10 255.255.255.0

int f0/1

ip add 172.16.100.100 255.255.255.0

ip nat inside

ip nat inside source static 172.16.100.10 2.2.2.2

ip route 0.0.0.0 0.0.0.0 192.168.200 20

With the above configuration i can ping 1.1.1.1 from outside network and 2.2.2.2 from inside. Now the issue seems to be fixed for communication between two interfaces. Now the new problem is that

1. I am unable to ping 1.1.1.1 from inside network but can ping 2.2.2.2 from outside.

2. Nat configuration for subnet is not working either in router nor in ASA. I mean, if i want to nat multiple inside users with 1.1.1.1 and multiple outside users with 2.2.2.2 then the configuration is not executing.

3. I need help to configure acl for both inside and outside traffic. In the above configuration , i had given full permission for bothe types of traffic from both inerfaces.

Thanku

Vanaja

Harish Balakrishnan · ‎10-08-2012

Hello Vanaja,

Would you be able to post the configuration for both ASA as well as Router ? it will help me to understand the scenario better

regards

Harish

komma.vanaja · ‎10-13-2012

Hi thank u for the reply and sorry for my late reply. The topology and configuration is as follows:

ASA:

ASA version 8.4(2)

int g0

nameif outside

security-level 0

ip add 192.168.200.20 255.255.255.0

int g1

nameif inside

security-level 100

ip add 192.168.100.10 255.255.255.0

object network inside

host 172.19.100.10

nat (inside,outside) static insidemapped

object network insidemapped

host 1.1.1.1

access-list acl-inside extended permit icmp any any

access-list acl-outside extended permit icmp any any

access-list acl-inside extended permit tcp any any

access-list acl-outside extended permit tcp any any

access-group acl-inside in interface inside

access-group acl-outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.200.10

Outside router:

int f0/0

ip nat outside

ip add 192.168.200.10

int f0/1

ip add 172.16.10.10 255.255.255.0

ip nat inside

ip nat inside source static 172.16.10.10 2.2.2.2

ip route 0.0.0.0 0.0.0.0 192.168.200 20

With the above configuration i can ping 1.1.1.1 from outside network and 2.2.2.2 from inside. Now the issue seems to be fixed for communication between two interfaces. Now the new problem is that

1. I am unable to ping 1.1.1.1 from inside network but can ping 2.2.2.2 from outside.

2. Nat configuration for subnet is not working either in router nor in ASA. I mean, if i want to nat multiple inside users with 1.1.1.1 and multiple outside users with 2.2.2.2 then the configuration is not executing.

3. I need help to configure acl for both inside and outside traffic. In the above configuration , i had given full permission for bothe types of traffic from both inerfaces.

Thanku

Vanaja

Harish Balakrishnan · ‎10-13-2012

Hello Vanaja,

Little confused now .. From the first post what I understood is, you wanted to communicate, between 2 overlapping networks..

Usually this scenario happens in NOC environment where the NOC and the customer lies in same overlapping network and the solution for that is to do a source and destination NAT at the same time. for example if you have a PC with an IP of 172.16.0.100 /24 and you would like to access a PC in the customer place with an IP of 172.16.0.100 /16.. then your PC will initiate a communication to 192.16.0.100 ( first octect masked) and once it reaches customer location the destination will be translated to 172.16.0.100 at the same time source will be translated to 192.17.0.100..

If you wanted to achieve the above, let me so that I can send you the config

Regards

Harish.

komma.vanaja · ‎10-13-2012

Harish,

My company (172.16.0.0/16) is going to inegrate with other company (172.16.0.0/24) via OFC.

The other company should be able to access one of the ftp server which is behind the ASA firewall. So our firwall already has an interface configured in 172.16.0.0/16 network. Now one more interface need to connect other company 172.16.0.0/24 which lead to interface overlapping in ASA. Therefore i have decided to put a router in between ASA and other company as mentioned in the diagram. Previously the traffic from asa interfaces were not passing and later i came to know that we need to permit permission and hence i created ACL to permit icmp and tcp traffic. It seems to be working but now the problem is that i am unable to ping inside global address fom inside pc but able to ping the same from outside.

Secondly, i need to write acl for specific traffic and even for this i need help. I don't know like how far my idea was correct, placing router and planning inside nat in asa and outside nat in outside router. If any other alternate or efficient soultion will be appriciated for my scenario. Harish, pls do post that nating config which you told me about that first octect nat. If it solves my requirement, surely i will try.

Thanku

Vanaja

Harish Balakrishnan · ‎10-14-2012

Hello Vanaja,

Thanks for the exact requirement.. Well this is pretty straight forward requirement. I assume that the network betweeb your ASA and the router is 192.168.100.0/24

now coming back to you requirement,

If the requirement is only to use few servers in your company, we can do a one to one static NAT.. For example, you have a FTP server 172.16.0.100 in your company and the other company wants to access it from their local subnet 172.16.0.100..

now on your asa you can do the following

object network Real_IP_FTP

host 172.16.0.100

object network Mapped_IP_FTP

host 192.168.100.100

nat (inside,outside) source static Real_IP_FTP Mapped_IP_FTP

interface GigabitEthernet0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.100.1 255.255.255.0

route outside 10.16.0.0 255.255.255.0 192.168.100.2 1

On the router please do the following:

interface FastEthernet0/0

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.100.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ip nat inside source static network 172.16.0.0 10.16.0.0 /24

Now, one PC in other company with an IP of 172.16.0.100 wants to access your ftp server, he can access with 192.168.100.100 and then when he reaches his router, his source IP will change to 10.16.0.100 and go to your ASA, once it reaches your ASA his destination address will be changed from 192.168.100.100 to 172.16.0.100.. and vice versa

Hope it will solve your issue

Please let me know if you need any help

regards

Harish

komma.vanaja · ‎10-14-2012

Thank you Harish. The above config is almost similar to the one i have posted with diagram. For outside network, we have natted the whole subnet right? if outside want to communicate with inside can use 192.168.100.100 but when inside wants to communicate with outside, what is the ip address is will use? according to scenario it must use any one ip from 10.16.0.0/24 subnet right? but its not pinging.

Harish Balakrishnan · ‎10-14-2012

Hello Vanaja,

Yes If outside wants to communicate inside, they should initiate a communicaton towards 192.168.100.100 and if inside wants to communicate outside, you can use 10.16.0.100 as we are doing a network level nat at the router. It should work, as the output I have pasted from a working scenario. I guess, you have some routing issue to the mapped address.. Please use the same subnet used in my example to simulate so that we can avoid confusions

regards

Harish

komma.vanaja · ‎10-15-2012

Yes, it's working.

Thank you.

Harish, pls don't mind, i have one more doubt.

Assume we have 3 systems connected to outside network as follows:

system1-172.16.0.2

system2-172.16.0.3

system3-172.16.0.4

in above config we had natted 172.16.0.0/24 with 10.16.0.0/24. If inside user wants to ping or telnet to system 2 then what is the ip he should use? i mean if we initiate communication with 10.16.0.100 ip address then to which pc we would be able to communicate?

thanku

Vanaja

Harish Balakrishnan · ‎10-15-2012

Hello Vanaja,

Great to hear that it is working as you expected.. When we do a network nat, between 172.16.0.0/24 to 10.16.0.0/24, the last 2 octets gets matched . I you want to access 172.16.0.25, you shall access the system as 10.16.0.25..

Hope this helps

Harish.

komma.vanaja · ‎10-20-2012

Thank you so much Harish. For further doubts will get back soon.

Vanaja

komma.vanaja · ‎10-23-2012

Harish,

In above example we configured inside nat in asa and for outside systems we configured it in router. Instead of that can we configure nat for both inside and outside in asa alone?

Karsten Iwen · ‎10-20-2012

Although this problem seems to be solved, I want to bring in a different solution:

Instead of doing double-NAT you could build an IPv6 overlay-networks just for the systems that need to communicate. That's not so complicated and works fine if there are not to many systems involved.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni