Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
4
Replies

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Cisco SOGET
Level 1
Level 1

‎12-10-2013 06:41 AM

Hello

I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).

For every remote Lan I translate the network client in an only IP address

For instance

Client1 192.168.1.0/24    Dynamic PAT (hide)     a.b.c.1/24

Client2  172.16.0.0/16     Dynamic PAT (hide)     a.b.c.2/24

Client3  172.17.4.0/26     Dynamic PAT (hide)     a.b.c.3/24

...

Everything is working fine but now I have a new client with the same IP network as client1

I tried

Clientn 192.168.1.0/24    Dynamic PAT (hide)     a.b.c.n/24

But when I did it the client1 loose the connection and i had to remove the clientn network ...

Do you have an idea to permit same remote IP addresses to use VPN ?

For information i use ASDM to setupthe ASA.

Regards

Laurent

Sorry for my english ...

Labels:
0 Helpful
4 Replies 4

WILLIAM STEGMAN
Level 4
Level 4

‎12-10-2013 07:43 AM

Ask the client to nat their network to something you're not already using.  Unless they are accessing a network on your side that is different from the network client1 is accessing on your side.  If that is the case you could create a rule that states if traffic coming from client1 to network1 then PAT to this IP address.  If traffic from clientn to networkn, then PAT to this IP address. 

0 Helpful

Cisco SOGET
Level 1
Level 1
In response to WILLIAM STEGMAN

‎12-11-2013 12:40 AM

Thank you William but I can't ask clients to Nat their networks and they all connect to the same network on my side:

Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24 connect to w.x.y.0/24

Client2 192.168.1.0/24 Dynamic PAT (hide) a.b.c.2/24 connect to w.x.y.0/24

Client3 192.168.1.0/24 Dynamic PAT (hide) a.b.c.3/24 connect to w.x.y.0/24

Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24 connect to w.x.y.0/24

At the beginning, I NAT the client's network to avoid that kind of problem and I don't anderstand why it is not working.

May I have to change the NAT type ?

0 Helpful

m.kafka
Level 4
Level 4
In response to Cisco SOGET

‎12-11-2013 05:58 AM

Hi Laurent,

I'm afraid the ASA is not built to do something like that. Even If you manage to configure several nat rules so that the remote VPN addresses are mapped to different address ranges on your inside the ASA will have dificulties to decide, which of the identical remote networks are be chosen.

On IOS you can do something like that, the features you might want to take a look at are VTI, vrf-light and vrf-aware NAT. The VTI is a tunnel interface which represents an IPsec connection to one of your customers and is associated with a vrf. The nat configuration just needs to adress the vrf in addition to the outside-global, outside-local addresses, ip nat inside/outside on the interfaces as usual. The classical crypto map is replaced by tunnel-src/dst and a tunnel protection profile.

That's the best I can think of...

MiKa

0 Helpful

Cisco SOGET
Level 1
Level 1
In response to m.kafka

‎12-12-2013 01:33 AM

Hi Mika

I don't understand why the ASA has diffuculties to decide which remote networks to choose because the NAT IP address a.b.c.x is affect to just one client which is in only one crypto-map

Fron client

Client1 192.168.1.0/24 Crypto-map1 Dynamic PAT (hide) a.b.c.1 connect to w.x.y.x

Client2 192.168.1.0/24 Crypto-map2 Dynamic PAT (hide) a.b.c.2 connect to w.x.y.x

From my side

w.x.y.x response to a.b.c.1 in Crypto-map1 to 192.168.1.0/24 (Client1) 

w.x.y.x response to a.b.c.2 in Crypto-map2 to 192.168.1.0/24 (Client2)

The solution with VTI and VRF seems (to me) complicated to operate.

Laurent

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents