Re: CIsco ASA Configurations Guide 5508

Hamidsattarrana · ‎01-17-2024

Hello Guys,

We have Cisco ASA 5508 on the leaseweb cloud. We have almost 17 site-to-site VPN instances. I have attached the screenshot for security reasons I have hidden the pubic IP address. The Local Network in attached screenshot is same subnet 10.12.192.0/24 with no NAT. It is named as LAN_Access.

The issue is that I try to make 2 more VPN tunnels with same LAN_Access (10.12.192.0/24) but during configuration there is a warning. "The protected traffic overlaps with that of the connection profile to "XX.XX.XX.XX" where XX is public IP of another remote ipsec peer. It is also using the same LAN_Access as local network. (10.12.192.0/24). Also the warning say This can cause traffic initiated from the local network which is intended to go through "YY.YY.YY.YY" New public IP address of ipsec remote peer to go through XX.XX.XX.XX instead.

XX.XX.XX.XX VPN profile is at the top. And the new YY.YY.YY.YY is at the bottom.

I don't understand what it means, Why it is happening maybe it's because there is the same LAN_Access (10.12.192.0/24) for all of the VPN profiles?

Also what is the priority number means in Edit IPsec site-to-site connection profile>>> Advanced>>>Crypto Map Entry>>>Priority?

The priority of XX.XX.XX.XX is 2 and the priority of YY.YY.YY.YY is 17

Please advise on this what should I do what the issue?

ASA inside Network: 10.12.192.0/24

ASA Outside Network: 176.9.102.214

The default gateway is: 176.9.102.215

Thanks in advance.

MHM Cisco World · ‎01-17-2024

Can you check the set peer IP with object you use (local and remote lan)
there is conflict that the meaning of message

MHM

Hamidsattarrana · ‎01-17-2024

Hello there,

Sorry I did not understand. I am not an expert. Can you please a little bit?

Thanks

Rob Ingram · ‎01-17-2024

@Hamidsattarrana it sounds like the remote network (the protected network) for this new VPN is the same as an existing VPN, therefore it is overlapping, which would cause problems. Check the other remote networks ACL to confirm if the network overlaps.

Hamidsattarrana · ‎01-17-2024

@Rob Ingram so It is due to same remote network in some acl not the local network of firewall itself?

On the gui there are many objects is there any way I can use any command on cli to check all the remote network ip addresses

Thanks

MHM Cisco World · ‎01-17-2024

show run object-group network | i object-group| <IP>
use this to find if the IP appear in any object group

Hamidsattarrana · ‎01-17-2024

In <Ip> I have to add the remote Lan network right

MHM Cisco World · ‎01-17-2024

correct

if it appear in object group that use in NAT or ACL or other Peer then you can delete or tune that object group

Hamidsattarrana · ‎01-17-2024

show run object-group network | i object-group| 10.0.0.0

Output:

Result of the command: "show run object-group network | i object-group| 10.0.0.0"

object-group network www_servers
object-group network VM_Management
object-group network VM_Access
object-group network Remote_Sites_RDP
object-group network ESXi&Vsphere
object-group network DM_INLINE_NETWORK_1
object-group network VPN_Retail_Subnets
object-group network VPN_Retail_Printers
object-group network VPN_Accessed_Servers
object-group network SQL_servers
object-group network VPN_ROA_VC_Hosts
object-group network Medway_VPN_subnets
object-group network AFCO_VPN_subnets
object-group network Amherst_VPN_subnets
object-group network Hanover_VPN_subnets
object-group network Newtown_VPN_subnets
object-group network Concord_VPN_subnets
object-group network Rowley_VPN_subnets
object-group network Shrewsburry_VPN_subnets
object-group network South_Hadley_VPN_subnets
object-group network Westbrook_VPN_subnets
object-group network Saint_Sebastein_VPN_subnets
object-group network ROA_VC_2022
object-group network c4c_1271732

MHM Cisco World · ‎01-17-2024

WoW, open one of it and check if the 10.0.0.0 indeed use or not .
MHM

MHM Cisco World · ‎01-17-2024

I think you use subnet of 10.x.x.x/x in these object and the new remote LAN is 10.0.0.0/8
that why it appear in all these object and to be sure do more check
thanks
MHM

Hamidsattarrana · ‎01-17-2024

I did not see 10.0.0.0/8 but I see some 10.0.0.0/16 network.

MHM Cisco World · ‎01-17-2024

can you ask other End to change their LAN, explain to them issue
if they run ASA or FTD they can do NAT LAN to any other subnet not conflict with your.
sorry for this bad news
MHM

Rob Ingram · ‎01-17-2024

@Hamidsattarrana unfortunately that doesn't help us.

What is the remote network of the new VPN you are creating?

What is the remote network (the protected nework) that belongs to connection profile XX.XX.XX.XX - which is the network that is overlapping.

Hamidsattarrana · ‎01-17-2024

Firewall Local Address: 10.12.192.0/24

Firewall Public Address: XX.XX.XX.XX

Remote side Public Address: YY.YY.YY.YY

Remote side local Network: 10.0.0.0/8