Re: IPsec VPN subnet conflicting

VIrendraMourya6156 · ‎01-21-2020

Hello,

I have a query regarding IPsec VPN setup. We are configuring IPsec VPN between two nodes, details are given below -

Node A - Check Point Firewall Node B - Cisco Firepower Threat Defense

Node A - VPN Initiator Node B - VPN Responder

Source IP - 2.2.2.2/32 Destination IP/Subnet - 10.10.10.0/24 and 10.10.20.0/24

So the VPN is up and traffic flows between 2.2.2.2/32 and 10.10.10.0/24 however another subnet 10.10.20.0/24 is conflicting in the customer premises i.e. Node A side. This subnet is necessary since it has multiple servers but to the conflict, customer is not able to access this IP range.

Can someone please assist what is the best possible solution for this issue ? apart from NATing at Node -B.

Sheraz.Salim · ‎01-21-2020

Is the nat exemption (identity nat) is applied on both side? make sure the ACL (cryptomap ) are identical on both side. you can do a packet tracer on the FTD and show us the output

please do not forget to rate.

VIrendraMourya6156 · ‎01-21-2020

Hello Sir,

Identity NAT/Exception is not applied. Issue is that, source IP 2.2.2.2/32 can reach destination 10.10.10.0/24 whereas it cannot reach another destination subnet 10.10.20.0/24 because 10.10.20.0/24 is already being used in the customer end i.e. Node A end so when they initiate traffic for second subnet it is getting routed somewhere else other than IPsec VPN.

Sheraz.Salim · ‎01-21-2020

is 10.20 behind FTD directly connected or there is a layer3 device between the FTD and 10.20 network.

please do not forget to rate.

VIrendraMourya6156 · ‎01-22-2020

Hello sir,

The 10.10.20.0/24 network is not directly connected to FTD. There is a Layer 3 device.

<------ (VPN)FTD ----- Nexus 5k ----- 10.10.20.0/24