Re: Overlapping IPSec Tunnel between an ASA and Router

insccisco · ‎11-12-2007

Please help, this is really an emerrgency

I've gone thru 7 cisco techs (escalation team, backbone team, etc., etc,) and no luck.

Network behind ASA 7.2 is 10.21.30.0

Network behind IOS 1841 is 192.168.1.0

Packets originating at IOS side and destined to ASA should look to ASA inside hosts as coming from the 10.12.0.0 network.

Packets originating at ASA side and destined to 1841 inside network should be going to the fake 10.12.0.0 network which in turn should go to the real 192.168.1.0 network.

Cisco seems unable to accomplish this for as much as they want to.

The ASA side hasnt been touched, except that has been properly configured for the crypto tunnel and all is well.

The "faking" shuold be done at the 1841 and no matter what they try, it does not work.

The ASA has lots of IPSec tunnels to other networks and one of them includes a 192.168.1.0, so this is why we can't use this to reach the 1841 side from the ASA.

The closest we've been with cisco is that they were able to ping the networks, (1841 side was successfully pinging 10.21.30.x and ASA side was successfully pinging 10.12.0.0) BUT every time they got it this way, inside hosts in the 1841 network were not able to go out to the internet

Please help

dradhika · ‎11-12-2007

Have you tried applying NAT on 1841 for the traffic going from inside 1841 to inside of ASA device?

Thanks,

Radhika

insccisco · ‎11-12-2007

yes, that is being done. We can NAT anything from 192.168.1.0 to 10.12.0.0 but from there it does not do anything else.

dradhika · ‎11-13-2007

You mean that NAT is working?

When a packet is sent from inside to other end of the tunnel , is there an entry in the translation table?

Thanks,

Radhika

david.barroso · ‎11-15-2007

I suggest you to use crypto map to apply the NAT on the cisco router. I have done this without any problem in the past.

ASA's side: 172.18.1.0/24

1841's side: 192.168.1.0/24

NAT: 192.168.231.0/24

For example:

access-list 120 permit ip 172.18.1.0 0.0.0.255 192.168.231.0 0.0.0.255

access-list 120 permit ip 192.168.231.0 0.0.0.255 172.18.1.0 0.0.0.255

ip nat inside source static 192.168.1.4 192.168.231.4 route-map NAT

route-map NAT permit 50

match ip address 120

!

insccisco · ‎11-26-2007

David, I don't understand. Why do yoi have the statement

ip nat inside source static 192.168.1.4 192.168.231.4 route-map NAT

???

I need the entire inside network behind the 1841 router (192.168.1.0/24 in your example) to send requests to the fake 10.12.0.0/24 network (192.168.231.0/24 in your example). This in turn will deliver the packets to the other side of the tunnel (172.18.1.0/24 in your example).

That's is the exact end result that I need: inside network behind the ASA needs to know ONLY about 10.12.0.0 when communicating to the inside network of the 1841 router.

Please help

insccisco · ‎11-27-2007

I just tried this and it works but the only thing is that it lets me access only one single host at the 1841 side.

So from the ASA side (172.18.1.0/24) I can successfully ping 192.168.231.4 (the fake address). And this is only one way, as I can't ping anything on the ASA side from the 1841 side.

I also tried

ip nat inside source static network 192.168.1.0 192.168.231.0 /24 no-alias

and it works. This of course does not use any route maps and it also seems to mess up my single IP NAT statement which currently NAT my entire inside network to the single public IP address on the outside interface.

any help?