Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
1
Replies

VPN tunnel with embedded subnet

gigatekcc
Level 1
Level 1

‎02-05-2014 11:16 AM

I have an ASA 5505 at v8.2. We have been using a tunnel to a PIX in a remote office successfully for years. Originally, the main office was 192.168.0.0/24 and the remote office was 192.168.1.0/24. Recently we needed to expand the subnet at the main office to accomodate more devices, so now the main office is 192.168.0.0/22, which of course contains the remote office's subnet. The tunnel is established and I am receiving packets from the remote office, but packets are not being sent there (RX count is high, TX count is 0). I assume that this is a traffic selection problem, but adding a '

route outside 192.168.1.0 255.255.255.0 {outside gateway ip} 1' does not help. Any suggestions? Here is my config:

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
name 192.168.1.0 Home
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.252.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.242.246.201 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service rww tcp
 description Remote Web Workplace
 port-object eq 4125
object-group service rdp tcp
 description 3396
 port-object range 3394 3399
 port-object range 3385 3390
 port-object range 3392 3394
object-group service Server tcp
 description 987
 group-object rww
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq pptp
 group-object rdp
 port-object eq 444
 port-object eq 446
 port-object range 902 903
 port-object eq 987
 port-object eq imap4
 port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service smtp-26 tcp
 port-object eq 26
object-group service DM_INLINE_UDP_1 udp
 port-object eq snmp
 port-object eq snmptrap
object-group network DM_INLINE_NETWORK_1
 network-object host xx.xx.xx.xx
 network-object host xx.xx.xx.xx
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in_1 extended permit tcp any any object-group Server 
access-list outside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group smtp-26 
access-list outside_access_in_1 extended permit gre any any 
access-list outside_access_in_1 extended permit icmp any any 
access-list 100 extended permit ip 192.168.0.0 255.255.252.0 Home 255.255.255.0 
access-list outside_cryptomap_20.1_1 extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.252.0 Home 255.255.255.0 
access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_1 
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 192.168.0.0 255.255.252.0 Home 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging trap informational
logging history informational
logging asdm informational
logging host inside Server
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 50.242.246.206 1
route inside 10.1.10.0 255.255.255.0 192.168.0.112 1
route outside Home 255.255.255.0 50.242.246.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 match address outside_cryptomap_20.1_1
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 1 match address outside_cryptomap
crypto map dyn-map 1 set peer {remote office gateway IP} 
crypto map dyn-map 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28
tftp-server inside Terminal /asa120214-2.cfg
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group {remote office external IP} type ipsec-l2l
tunnel-group {remote office external IP} ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:90aa72e00e4dca9f3ba3f449fb851179
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 11:46 PM

Hi,

Its a problem that you have configured overlapping networks in the first place.

The problem probably has to do with the fact that your internal Main Office network things the hosts on the range 192.168.1.0/24 are included in their local network and therefore try to ARP for the destination addresses MAC addresses and fail since the host arent located on their local network.

For the traffic to even get forwarded to the ASA the ASA would have to use Proxy ARP to reply to those ARP requests.

But to me it seems a better idea to NAT the Remote Office network to some other /24 network before the L2L VPN connection and change the L2L VPN configurations to reflect that change.

You would want to have ONLY this ACL rule in the "crypto map" line using the ACL (you could replace the old ACL with this one)

access-list L2LVPN permit ip 192.168.0.0 255.255.252.0 192.168.100.0 255.255.255.0

Where the network 192.168.100.0/24 would be the new NAT network for Remote Site.

Your NAT0 ACL on Main Site should only contain the following line

access-list 100 permit ip 192.168.0.0 255.255.252.0 192.168.100.0 255.255.255.0

On the Remote Site PIX you would need to remove the NAT0 configuration and instead configure Static Policy NAT

access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.252.0

static (inside,outside) 192.168.100.0 access-list L2LVPN-POLICYNAT

And the L2L VPN "crypto map" ACL would be

access-list L2LVPN permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.252.0

Naturally though again if you need access to the 192.168.1.0/24 range on the Main Office from the Remote Office you would need to perform NAT on the Main Office also. (As Remote Office would be in that case connecting to the same network that it has)

As you can see it can get a bit complex.

Other than this you might have easier time changing some local network. Perhaps at the Remote Office for example.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents