Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
8
Replies

ASA 5510 VPN with Virtual IPs

vs1784001
Level 1
Level 1

‎06-01-2015 12:46 AM

Hi,

 

I am told to create a VPN with a partner company.

 

We have below private networks in our infratructure

192.168.50.0
192.168.2.0
192.168.4.0
192.168.3.0
192.168.80.0
192.168.1.0
192.168.25.0
192.168.75.0
192.168.8.0
192.168.9.0
192.168.7.0
192.168.6.0
192.168.10.0
192.168.27.0
192.168.5.0
192.168.175.0
192.168.160.0
192.168.20.0
 

Basically it is 192.168.0.0/17 with above /24 subnets with working devices.

They have opened us for 192.168.7.0/24, 192.168.50.0/24 and 192.168.86.0/24

Tunnel is setup and working and i can access from 192.168.7.X and 192.168.50.X

My problem is to make other subnets work, they have opened tunnel for 192.168.0.0/17 but provided access only for above 3 subnets on their ACL i.e. 192.168.7.0,192.168.50.0, 192.168.86.0

Can i create some kind of virtual IPs on 192.168.86.0 so that any IP from other subnets e.g. 192.168.1.x can connect to the tunnel at other end.

Tunnel IPs are 10.10.86.0 subnet. I have read Cisco docs but could not figure this out from anything in there as it is too confusing.

Another way i thought we can do is use 192.168.68.x as source NAT to communication with tunnel but not sure if that is the solution here or not.

Thanks,

Vishal

Labels:
0 Helpful
8 Replies 8

Stefan Menning
Level 1
Level 1

‎06-03-2015 05:55 AM

I am not sure, if I understand you correctly. The remote (partner) network is 10.10.86.0/24. The partner only allows access from your networks:

-192.168.7.0/24

-192.168.50.0/24

-192.168.86.0/24

Now you want to access from all your private 192.168.0.0/17 networks to 10.10.86.0/24?

If so, you could configure dynamic nat:

 

nat(<inside>,<outside>) source dynamic obj-internal nat-pool dest static obj-10.10.86.0 obj-10.10.86.0

 

object-group network obj-internal

 network-object 192.168.50.0 255.255.255.0

 network-object 192.168.2.0 255.255.255.0

 ...

object-group network nat-pool

 network-object 192.168.86.0 255.255.255.0

 

object-group Network obj-10.10.86.0

 network-object 10.10.86.0 255.255.255.0

 

0 Helpful

vs1784001
Level 1
Level 1
In response to Stefan Menning

‎06-09-2015 01:14 AM

This did not work.

 

See networks i have

 

object-group network INT_INTERNAL
 network-object SNET_TWO 255.255.255.0
 network-object SNET_THREE 255.255.255.0
 network-object SNET_FOUR 255.255.255.0
 network-object SNET_ONE 255.255.255.0
 network-object SNET_TWOFIVE 255.255.255.0
 network-object SNET_EIGHT 255.255.255.0
 network-object SNET_NINE 255.255.255.0
 network-object SNET_SEVEN 255.255.255.0
 network-object SNET_SIX 255.255.255.0
 network-object TRAINING 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.10.86.0 255.255.255.0
object-group network PARTNER_NAT
 network-object 192.168.86.0 255.255.255.0

 

 

I am running below config command

nat(inside,outside) source dynamic INT_INTERNAL PARTNER_NAT dest static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2

 

And it says invalid command, i got below error

 

nat(inside,outside) source dynamic INT_INTERNAL PARTNER_NAT dest static DM_INLI   ^NE_NETWORK_2 DM_INLINE_NETWORK_2

ERROR: % Invalid input detected at '^' marker.

 

0 Helpful

Stefan Menning
Level 1
Level 1
In response to vs1784001

‎06-11-2015 04:21 AM

I seems like you are missing a space between "nat" and "(inside,outside)", the rest of the command looks good.

0 Helpful

vs1784001
Level 1
Level 1
In response to Stefan Menning

‎06-11-2015 04:28 AM

Nopes.

 

It was a typing mistake when i replied to this forum.

 

Space is there.

 

I did tried to change object names but it give me error to a specific place only i.e. "^" is always at character # 80

 

I think it has something to do with command length. Is it possible ?

0 Helpful

vs1784001
Level 1
Level 1
In response to vs1784001

‎06-11-2015 04:31 AM

ASA in questions is version 8.2, i think your command is for 8.3 or later.

0 Helpful

Stefan Menning
Level 1
Level 1
In response to vs1784001

‎06-11-2015 04:47 AM

Ups, yes you are right - I was expecting ASA OS 8.3 or later. then you need to use policy nat

 

access-list vpn-nat-to-partner permit ip object-group  INT_INTERNAL 10.10.86.0 255.255.255.0

global (outside) <num> 192.168.86.0 netmask 255.255.255.0

nat (inside,outside) <same_num_as_above> access-list vpn-nat-to-partner

0 Helpful

vs1784001
Level 1
Level 1
In response to Stefan Menning

‎06-11-2015 05:01 AM

This seems to be working. Let me check at my partner end if they see this.

Does it have any effect on user computers? Will they continue working as they are right now.

 

For example 192.168.7.11 which is allowed subnet connects to VPN will it be NATted as well since it is part of object group ?

 

If that is the case, i can create another object group which does not have 7.x and 50.x, but not sure if ASA allows object groups with overlapping subnets in them.

0 Helpful

Stefan Menning
Level 1
Level 1
In response to vs1784001

‎06-11-2015 06:48 AM

All traffic matching access-list vpn-nat-to-partner will be NATed to 192.168.86.0-pool.

So yes, 192.168.7.11 will be NATed (but only) when it connets to IPs in the 10.10.86.0-net.

If you wish to exclude clients from this policy NAT, you will need a different object-group (beware: deny statements in policy-nat-ACLs will NOT work).

 

Otherwise you can use simple ip-network statements in the vpn-nat-to-partner ACL, working with multiple "permit" lines.

0 Helpful
Customers Also Viewed These Support Documents