cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1717
Views
7
Helpful
5
Replies

IPSEC with one overlapping subnet

davidwatson1
Level 1
Level 1

Hi

 

I have an issue with setting up an IPSEC where we have 3 subnets to route through where one subnet is overlapping.

On Client1 we are trying to allow access to a server 192.168.100.10 where they also have a network on 192.168.0.0/24. On Client2 end, we have 192.168.0.0/24, 3/24 and 2/24.

Ive followed some documentation (
http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/) ; but am a little confused about the tunnel initiation, so i leave the source as the normal ip but do the translatated ip as the remote?

//crypto acl–attached to crypto map
access-list L2LAccessList extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
!
//policy nat acl–attached to static
access-list SRC_Translation extended permit ip 192.168.0.0 255.255.255.0 192.168.201.0 255.255.255.0

//policy nat translation
//translates a source of
//192.168.0.x/24 to
//192.168.200.0/24 only when
//the destination is 192.168.201.0/24
static (inside,outside) 192.168.200.0 access-list SRC_Translation


//outbound packets going to
//192.168.201.0/24 should have
//the destination changed
//to 192.168.0.0/24
static (outside,inside) 192.168.201.0 192.168.0.0 netmask 255.255

For the tunnel-

object-group network DM_INLINE_NETWORK_4
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0

 network-object 192.168.3.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 

access-list SRC_Translation extended permit ip 192.168.0.0 255.255.255.0 192.168.201.0 255.255.255.0 

 

Basically what im trying to do is-

Remote host network 192.168.0.0 to the server on 192.168.100.10, remote network-> local ASA, translate trafffic to 192.168.201, hit server, return traffic translate back to 192.168.0.0 and return across tunnel.

Remote network host 192.168.3.0 to the server on 192.168.100.10, remote network-> local ASA, traverse ipsec, hit server, return back and no need to translate at all

Hope this makes sense

thanks

David

 

5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi David,

Please check this document and it will give you more insight as to how to setup tunnel with overlapping subnets.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Important point is local network would have to communicate to remote network via translated addresses.i.e. you won't be able to use actual IP's for the communication.

 

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh

 

Thanks for the response. Ive seen this doc and it requires you to make changes on both ends of the IPSEC. Are you able translate it and send it across VPN? We do not need the same subnet on both ends to see each other, but we need a server on our end to be able to route back to their end. As an example, remote end client on 192.168.0.0/24 communicates to 192.168.100.90, comes across VPN, hits our end (which has 192.168.0.0/24 network also), firewall translates traffic from the other end to 192.168.200.0/24, hits server, then going back translates it back to 192.168.0.0?

Be great if we can do the work from our end only

thanks

Assuming 192.168.0.1 on remote side needs to talk to 192.168.100.90 on our side.

On remote side , 192.168.0.1 translates to 192.168.200.1 when communicating to 192.168.100.90
nat (inside,outside) source static obj_192.168.0.1 obj_192.168.200.1 destination static obj_192.168.100.90 obj_192.168.100.90 route-lookup

Then the crypto access-list will be configured for source proxy 192.168.200.0 going to destination proxy 192.168.100.0.

Other way is

On local side, incoming traffic changes from 192.168.0.1 to 192.168.200.1 when talking to 192.168.100.90
nat (outside,inside) source static obj_192.168.0.1 obj_192.168.200.1 destination static obj_192.168.100.90 obj_192.168.100.90 route-lookup

In this case, crypto access-list will be from source proxy 192.168.100.0 to  192.168.200.0.
Hope this helps.

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh

 

thanks, i like the other way of doing the work on the local side, however the route-lookup command isnt there. This firewall is on 8.2, is it only supported from 8.4?

 

thanks

Yes, that was added in 8.4 series.

Since you are using 8.2 code , you can use this document to configure natting:-

ASA Pre-8.3 to 8.3 NAT configuration examples
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples


Hope this helps.

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/