Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1625
Views
7
Helpful
5
Replies

IPSEC with one overlapping subnet

davidwatson1
Level 1
Level 1

‎07-16-2015 12:11 AM - edited ‎02-21-2020 08:20 PM

Hi

 

I have an issue with setting up an IPSEC where we have 3 subnets to route through where one subnet is overlapping.

On Client1 we are trying to allow access to a server 192.168.100.10 where they also have a network on 192.168.0.0/24. On Client2 end, we have 192.168.0.0/24, 3/24 and 2/24.

Ive followed some documentation (
http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/) ; but am a little confused about the tunnel initiation, so i leave the source as the normal ip but do the translatated ip as the remote?

//crypto acl–attached to crypto map
access-list L2LAccessList extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
!
//policy nat acl–attached to static
access-list SRC_Translation extended permit ip 192.168.0.0 255.255.255.0 192.168.201.0 255.255.255.0

//policy nat translation
//translates a source of
//192.168.0.x/24 to
//192.168.200.0/24 only when
//the destination is 192.168.201.0/24
static (inside,outside) 192.168.200.0 access-list SRC_Translation


//outbound packets going to
//192.168.201.0/24 should have
//the destination changed
//to 192.168.0.0/24
static (outside,inside) 192.168.201.0 192.168.0.0 netmask 255.255

For the tunnel-

object-group network DM_INLINE_NETWORK_4
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0

 network-object 192.168.3.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 

access-list SRC_Translation extended permit ip 192.168.0.0 255.255.255.0 192.168.201.0 255.255.255.0 

 

Basically what im trying to do is-

Remote host network 192.168.0.0 to the server on 192.168.100.10, remote network-> local ASA, translate trafffic to 192.168.201, hit server, return traffic translate back to 192.168.0.0 and return across tunnel.

Remote network host 192.168.3.0 to the server on 192.168.100.10, remote network-> local ASA, traverse ipsec, hit server, return back and no need to translate at all

Hope this makes sense

thanks

David

 

Labels:
0 Helpful
5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-18-2015 02:39 AM

Hi David,

Please check this document and it will give you more insight as to how to setup tunnel with overlapping subnets.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Important point is local network would have to communicate to remote network via translated addresses.i.e. you won't be able to use actual IP's for the communication.

 

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

davidwatson1
Level 1
Level 1
In response to Dinesh Moudgil

‎07-19-2015 03:52 PM

Hi Dinesh

 

Thanks for the response. Ive seen this doc and it requires you to make changes on both ends of the IPSEC. Are you able translate it and send it across VPN? We do not need the same subnet on both ends to see each other, but we need a server on our end to be able to route back to their end. As an example, remote end client on 192.168.0.0/24 communicates to 192.168.100.90, comes across VPN, hits our end (which has 192.168.0.0/24 network also), firewall translates traffic from the other end to 192.168.200.0/24, hits server, then going back translates it back to 192.168.0.0?

Be great if we can do the work from our end only

thanks

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to davidwatson1

‎07-19-2015 04:17 PM

Assuming 192.168.0.1 on remote side needs to talk to 192.168.100.90 on our side.

On remote side , 192.168.0.1 translates to 192.168.200.1 when communicating to 192.168.100.90
nat (inside,outside) source static obj_192.168.0.1 obj_192.168.200.1 destination static obj_192.168.100.90 obj_192.168.100.90 route-lookup

Then the crypto access-list will be configured for source proxy 192.168.200.0 going to destination proxy 192.168.100.0.

Other way is

On local side, incoming traffic changes from 192.168.0.1 to 192.168.200.1 when talking to 192.168.100.90
nat (outside,inside) source static obj_192.168.0.1 obj_192.168.200.1 destination static obj_192.168.100.90 obj_192.168.100.90 route-lookup

In this case, crypto access-list will be from source proxy 192.168.100.0 to  192.168.200.0.
Hope this helps.

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

davidwatson1
Level 1
Level 1
In response to Dinesh Moudgil

‎07-19-2015 09:12 PM

Hi Dinesh

 

thanks, i like the other way of doing the work on the local side, however the route-lookup command isnt there. This firewall is on 8.2, is it only supported from 8.4?

 

thanks

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to davidwatson1

‎07-19-2015 09:56 PM

Yes, that was added in 8.4 series.

Since you are using 8.2 code , you can use this document to configure natting:-

ASA Pre-8.3 to 8.3 NAT configuration examples
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples


Hope this helps.

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents