Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
3
Replies

overlapping subnets L2L VPN configuration problems

hmongstrong
Level 1
Level 1

‎09-17-2014 11:25 AM - edited ‎03-11-2019 09:46 PM

I just cannot get it to work.  I need devices on siteA to connect to devices on siteB, both with overlapping IP's.  Then if I am at siteA and want to ping siteB server at 10.10.10.100, what IP do I ping?

 

I hope I make sense, because L2L vpn is kicking my butt with these overlapping subnets.  Thanks!

 

 

siteA:

: Saved
:
ASA Version 8.0(2)
!
------------------
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.5
 vlan 5
 nameif DOMAIN
 security-level 100
 ip address 10.50.5.1 255.255.255.0
!
interface Ethernet0/1.99
 vlan 99
 nameif HP_MGMT
 security-level 100
 ip address 10.50.99.1 255.255.255.0
!
interface Ethernet0/1.100
 vlan 100
 nameif WIRED
 security-level 100
 ip address 10.50.2.1 255.255.255.0
!
interface Ethernet0/1.101
 vlan 101
 nameif WIRELESS
 security-level 100
 ip address 10.50.3.1 255.255.255.0
!
interface Ethernet0/1.1005
 vlan 1005
 nameif Pelco_MGMT
 security-level 100
 ip address 10.100.5.2 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.1
 vlan 1
 nameif S2
 security-level 100
 ip address 10.10.10.1 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 100
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.50.0.1 255.255.255.0
 management-only
!
------------------
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list L2LAccessList extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SRC_Translation extended permit ip 10.10.0.0 255.255.0.0 10.30.0.0 255.255.0.0
pager lines 24
------------------
mtu outside 1500
mtu DOMAIN 1500
mtu HP_MGMT 1500
mtu WIRED 1500
mtu WIRELESS 1500
mtu Pelco_MGMT 1500
mtu S2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any HP_MGMT
icmp permit any WIRELESS
icmp permit any S2
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DOMAIN) 1 0.0.0.0 0.0.0.0
nat (WIRED) 1 0.0.0.0 0.0.0.0
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (S2) 1 10.10.0.0 255.255.0.0
static (DOMAIN,outside) tcp interface https 10.50.5.5 https netmask 255.255.255.255
static (WIRELESS,outside) tcp interface 3389 10.50.3.49 3389 netmask 255.255.255.255
static (S2,WIRELESS) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (S2,DOMAIN) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (WIRED,WIRELESS) 10.50.2.0 10.50.2.0 netmask 255.255.255.0
static (HP_MGMT,WIRELESS) 10.50.99.0 10.50.99.0 netmask 255.255.255.0
static (Pelco_MGMT,WIRELESS) 10.100.5.0 10.100.5.0 netmask 255.255.255.0
static (DOMAIN,WIRELESS) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (DOMAIN,S2) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (WIRELESS,DOMAIN) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,Pelco_MGMT) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,S2) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,WIRED) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,HP_MGMT) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (S2,outside) 10.20.0.0  access-list SRC_Translation
static (outside,S2) 10.30.0.0 10.10.0.0 netmask 255.255.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.0.0 255.255.255.0 management
http 10.50.3.0 255.255.255.0 WIRELESS
http redirect outside 443
------------------
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto map MYMAP 10 match address L2LAccessList
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set reverse-route
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet 10.50.3.0 255.255.255.0 WIRELESS
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 10.50.3.0 255.255.255.0 WIRELESS
ssh timeout 5
console timeout 10
management-access WIRELESS
dhcpd dns 10.50.5.3 12.127.17.71
!
dhcpd address 10.50.5.50-10.50.5.254 DOMAIN
dhcpd enable DOMAIN
!
dhcpd address 10.50.2.50-10.50.2.254 WIRED
dhcpd enable WIRED
!
dhcpd address 10.50.3.50-10.50.3.254 WIRELESS
dhcpd enable WIRELESS
!
dhcpd address 10.10.2.50-10.10.2.254 S2
dhcpd enable S2
!
dhcpd address 10.50.0.2-10.50.0.10 management
dhcpd enable management
!
vpn load-balancing
 interface lbprivate DOMAIN
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
------------------
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
smtp-server 10.50.5.3
------------------
: end
asdm image disk0:/asdm-602.bin
no asdm history enable


siteB:

: Saved
:
ASA Version 8.0(2)
!

!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 2.2.2.2
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.60.5.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.1
 vlan 1
 nameif S2
 security-level 100
 ip address 10.10.10.1 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.50.0.1 255.255.255.0
 management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list L2LAccessList extended permit ip 10.30.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SRC_Translation extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu S2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (S2,outside) 10.30.0.0  access-list SRC_Translation
static (outside,S2) 10.20.0.0 10.10.0.0 netmask 255.255.0.0
route outside 0.0.0.0 0.0.0.0 x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto map MYMAP 10 match address L2LAccessList
crypto map MYMAP 10 set peer 1.1.1.1
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set reverse-route
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet 10.50.0.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.50.3.10 129.250.35.250
!
dhcpd address 10.60.5.50-10.60.5.250 inside
dhcpd enable inside
!
dhcpd address 10.50.0.2-10.50.0.254 management
dhcpd enable management
!
dhcpd address 10.10.3.50-10.10.3.250 S2
dhcpd enable S2
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:57be0559bfc1270fdff4f32743f6b9d7
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

 

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎09-17-2014 02:36 PM

At first glance you config looks correct.  The problem is that you are NATing the full subnets of each side.  Do all PCs on the 10.30 network need to reach all IPs on the 10.10 network? 

You will most likely need to configure static destination NAT for each server you are trying to reach at both ends of the VPN tunnel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

hmongstrong
Level 1
Level 1
In response to Marius Gunnerud

‎09-18-2014 05:41 AM

Most likely just the server on either end should suffice.

 

  • siteA should be able to see siteB's internal 10.10.10.100
  • siteB should see siteA internal 10.10.10.70

 

Do I change my static statement and access list configs then?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to hmongstrong

‎09-18-2014 11:48 PM

Since the IPs are overlapping you need to decide on an IP for the two hosts that that do not overlap. And then NAT the local IPs to that new IP.  This new IP will also need to be included in the crypto ACL as the destination IP.

So, for example, siteA will use IP 172.16.1.100 to reach 10.10.10.100

and siteB will use IP 172.16.2.70 to reach 10.10.10.70

access-list VPN permit ip 10.10.10.0 255.255.255.0 host 172.16.2.70

nat (S2) 0 access-list VPN

As long as 172.16.2.0/24 is not a configured network at siteA then the default route will take care of routing.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card