Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
5
Replies

Site to Site VPN with overlapping subnets and PAT

hmc250000
Level 1
Level 1

‎07-09-2017 08:11 AM

Hi, I need to setup a site to site VPN with an external vendor but the vendor has a local subnet that is overlapping with our network. We would not like to use additional subnets for mapping. I'm thinking about configuring PAT (use one of the interfaces of the ASA), it's ok if communication only gets initiated by the external partner.

How do I configure PAT in this scenario and the access lists?

Company A

subnet 172.16.10.0/25. Need access to subnets 172.16.5.0/24, 172.16.6.0/24 and 172.16.7.0/24 in company B's network

Company B (large network)

subnet 172.16.0.0/16

Labels:
0 Helpful
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-10-2017 02:22 AM

Hi Henry,

You can use the Dynamic PAT for this.

You need to create an Object group that would involve all the local subnets.

Post that you can use the following nat statement:

nat (inside,outside) source dynamic <object group name> <PAT IP> destination static <remote network> <remote network>

Please ensure you put in the PAT IP in the crypto ACL.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

hmc250000
Level 1
Level 1
In response to Aditya Ganjoo

‎07-10-2017 02:42 PM

When I test this with the packet tracer I see that packets get dropped by an access list. Are these access lists correct?

Company A:

object network Inside_RealA

subnet 172.16.10.0 255.255.255.0

object network Remote_subnet5

subnet 172.16.5.0 255.255.255.0

object network Remote_subnet6

subnet 172.16.6.0 255.255.255.0

object network Remote_subnet7

subnet 172.16.7.0 255.255.255.0

object-group network subnets5-6-7

network-object object subnet5

network-object object subnet6

network-object object subnet7


access-list outside_cryptomap etended permit ip object Inside_RealA object object-group subnets5-6-7
nat (inside,outside) after-auto source static Inside_RealA Inside_RealA destination static subnets5-6-7 subnets5-6-7

Comany B:

object network Outside_RealA

subnet 172.16.10.0 255.255.255.0

object network Inside_subnet5

subnet 172.16.5.0 255.255.255.0

object network Inside_subnet6

subnet 172.16.6.0 255.255.255.0

object network Inside_subnet7

subnet 172.16.7.0 255.255.255.0

object-group network subnets5-6-7

network-object object subnet5

network-object object subnet6

network-object object subnet7


access-list outside_cryptomap etended permit ip object-group subnets5-6-7 object Outside_RealA
nat (inside,outside) source dynamic subnets5-6-7 pat-pool Interface destination static Outside_RealA Outside_realA

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to hmc250000

‎07-10-2017 07:26 PM

Hi,

No the crypto acl in Company B should be:

access-list outside_cryptomap extended permit ip <interface-pat-ip> object Outside_RealA

The reverse should be used at Company A.

Regards,

Aditya

0 Helpful

hmc250000
Level 1
Level 1
In response to Aditya Ganjoo

‎07-11-2017 01:51 PM

Fro company B I added "access-list outside_cryptomap extended permit ip interface outside object Outside_RealA"

and for company A I added  "access-list outside_cryptomap extended permit ip object Inside_RealA host ipaddressremotefirewall" 

It still does not work. not sure what I'm missing. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to hmc250000

‎07-11-2017 08:34 PM

Hi Henry,

Can you share a packet tracer result from one of the ASA's?

Regards,

Aditya

0 Helpful
Customers Also Viewed These Support Documents