cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

24
Views
0
Helpful
0
Replies
Beginner

VPN L2L - ASA 5520 - 8.3.1 -

Hi guys, i have ASA 5520 with many VPN LAN To LAN and VPN Remote Access. I have a issue with one VPN Lan To Lan where there is a overlap network
between our inside network and the remote peer. There is a VPN Lan To Lan with this configuration :

LAN (INSIDE) - 192.168.0.0/22            INSIDE ASA - 172.16.0.3 - OUTSIDE ASA 94.125.239.251

192.168.1.10 --------------------------------------------192.168.198.7 ---------------------------------------------192.168.201.221
 Real IP                                                 IP SOURCE NAT                                             IP DESTINATION NAT
 Server                                                                                                             (REMOTE PEER)
                                     
Flow without translation : From 192.168.1.10/32 TO 192.168.201.221/32 (NONAT)
Flow with translation :    From 192.168.1.10/32 TO 192.168.201.221/32 (IP SOURCE NAT 192.168.198.7) - CRYPTO
            
Flow without translation : From 192.168.201.221/32 TO 192.168.198.7/32 ---------------> FROM REMOTE PEER TO ASA - CRYPTO
Flow with translation :    From 192.168.198.7/32 TO 192.168.1.10/32 ------------------> STATIC NAT ASA
 

Below the configuration :

access-group Traffico-Outbound-Inside-Outside in interface INSIDE
access-list Traffico-Outbound-Inside-Outside extended permit ip host 192.168.1.10 host 192.168.201.221

access-list VPNL2LCryptoOasi extended permit ip host 192.168.198.7 host 192.168.201.221
access-list VPNL2LFilterOasi extended permit icmp host 192.168.201.221 host 192.168.198.7
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 range 1024 65535 host 192.168.198.7 eq 7006
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 eq 6006 host 192.168.198.7 range 1024 65535

nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (INSIDE,OUTSIDE) source static VPNnonat-192.168.198.7-src VPNnonat-192.168.198.7-src destination static VPNnonat-192.168.201.221-dst VPNnonat-192.168.201.221-dst

object network VPNL2LOasiNAT-IPSRC
 nat (OUTSIDE,INSIDE) static 192.168.1.10

crypto ipsec transform-set OasiBeeInsSet esp-aes esp-md5-hmac
crypto map outside_map 110 match address VPNL2LCryptoOasi
crypto map outside_map 110 set peer 194.185.233.36
crypto map outside_map 110 set transform-set OasiBeeInsSet

tunnel-group 194.185.233.36 type ipsec-l2l
tunnel-group 194.185.233.36 general-attributes
 default-group-policy 194.185.233.36
tunnel-group 194.185.233.36 ipsec-attributes
 pre-shared-key *****

group-policy 194.185.233.36 internal
group-policy 194.185.233.36 attributes
 vpn-filter value VPNL2LFilterOasi

When the server 192.168.1.10 in the INSIDE network try to telnet 192.168.201.221 6006 is all ok. But when the 192.168.201.221 telnet the 192.168.198.7 in the log i see :

Oct 24 06:29:57 172.16.0.3 Oct 24 2014 06:29:57 IDC-CISCOFWUS-02 : %ASA-6-302014: Teardown TCP connection 2051276 for OUTSIDE:192.168.201.221/59712 to OUTSIDE:192.168.198.7/7006 duration 0:00:00 bytes 0 Flow is a loopback
 
i tried to follow  link http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/ which in most discussion on cisco forum it is the example. In my configuration there is my situation :

For their 192.168.1.0/24 -> My host network is 192.168.1.10
For their 192.168.2.0/24 -> My host network is 192.168.198.7
For their 192.168.3.0/24 -> My host network is 192.168.201.221

So, here the my configuration :

nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (inside,outside) source static VPNnonat-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNnonat-192.168.1.10-src

object network VPNL2LOasiNAT-192.168.1.10-src
  nat (outside,inside) static 192.168.201.221
 
With this configuration, is not possible telnet 192.168.201.221 6006.

I tried to route INSIDE the 192.168.198.7 and there isn't the error in the log, but there is a SYN timeout on the packet about 192.168.198.7

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here