02-15-2012 08:17 AM - edited 02-21-2020 05:52 PM
I'm trying to connect two operlapping networks via IPsec. I've already Googled and read
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Details:
Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.
Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound
which results in:
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255
Those are port redirects on Site_A used for mail, webmail, etc. What should I do to keep this redirects from the Internet to companyname vlan and in the same time have working l2l ipsec tunnel connecting overlapping networks?
Thank you in advance for any help or hint.
Snippet of ASA's config below:
!
ASA Version 8.0(4)32
!
no names
name 10.25.0.0 siteB-fake-network description Fake NAT network to avoid ip overlapping
name 10.26.0.0 siteA-fake-network description Fake NAT network to avoid ip overlapping
!
interface Ethernet0/0
shutdown
nameif inside
security-level 100
ip address 10.200.32.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.10
vlan 10
nameif companyname
security-level 100
ip address 10.100.0.254 255.255.255.0
!
interface Ethernet0/2.20
vlan 20
nameif wifi
security-level 100
ip address 10.0.0.1 255.255.255.240
!
interface Ethernet0/2.30
vlan 30
nameif dmz
security-level 50
ip address 10.0.30.1 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.100.100.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Inside-Network
network-object 10.100.0.0 255.255.255.0
network-object 10.100.1.0 255.255.255.0
network-object 10.100.2.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
object-group service DM_INLINE_TCP_5 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
object-group network DM_INLINE_NETWORK_1
network-object 10.100.0.0 255.255.255.0
network-object 10.100.2.0 255.255.255.0
access-list securevpn_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host x.x.x.178 eq 50000
access-list outside_access_in extended permit tcp any host x.x.x.178 eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.178 eq https
access-list outside_access_in extended permit tcp any host x.x.x.179 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp
access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp-data
access-list outside_access_in extended permit tcp host 205.158.110.63 host x.x.x.180 eq ssh inactive
access-list inside_access_in extended permit ip 10.100.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_access_in extended permit ip object-group Inside-Network 10.100.99.0 255.255.255.0
access-list inside_access_in extended permit ip object-group Inside-Network 10.0.30.0 255.255.255.248
access-list inside_access_in extended permit tcp host 10.100.0.6 any eq smtp
access-list inside_access_in extended permit tcp object-group Inside-Network any eq www
access-list inside_access_in extended permit tcp object-group Inside-Network any eq https
access-list inside_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp-data
access-list inside_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp
access-list inside_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 9999
access-list inside_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 3389
access-list inside_access_in extended permit udp object-group Inside-Network any eq domain
access-list companyname_access_in extended permit ip object-group Inside-Network 10.100.1.0 255.255.255.0
access-list companyname_access_in extended permit ip object-group Inside-Network 10.100.99.0 255.255.255.0
access-list companyname_access_in extended permit ip object-group Inside-Network 10.0.30.0 255.255.255.248
access-list companyname_access_in extended permit tcp host 10.100.0.6 any eq smtp
access-list companyname_access_in extended permit tcp object-group Inside-Network any eq www
access-list companyname_access_in extended permit tcp object-group Inside-Network any eq https
access-list companyname_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp-data
access-list companyname_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp
access-list companyname_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 9999
access-list companyname_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 3389
access-list companyname_access_in extended permit udp object-group Inside-Network any eq domain
access-list wifi_access_in extended permit tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001
access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.100.99.0 255.255.255.0
access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.0.0.0 255.255.255.240
access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.0.30.0 255.255.255.248
access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.100.2.0 255.255.255.0
access-list companyname_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.0.30.0 255.255.255.248
access-list companyname_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.100.99.0 255.255.255.0
access-list companyname_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.100.99.0 255.255.255.0
access-list wifi_nat0_outbound extended permit ip 10.0.0.0 255.255.255.240 10.100.0.0 255.255.255.0
access-list dmz_access_in extended permit tcp 10.0.30.0 255.255.255.248 any object-group DM_INLINE_TCP_5
access-list dmz_access_in extended permit tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended deny ip 10.0.30.0 255.255.255.248 any
access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.0.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.99.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.26.0.0 255.255.252.0 10.25.0.0 255.255.255.0
access-list fake_nat_outbound extended permit ip 10.100.0.0 255.255.252.0 10.25.0.0 255.255.255.0
ip local pool clientVPNpool 10.100.99.101-10.100.99.199 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name IPS attack action alarm drop reset
ip audit name IPS-inf info action alarm
ip audit interface outside IPS-inf
ip audit interface outside IPS
nat-control
global (inside) 91 10.100.0.2
global (inside) 92 10.100.0.4
global (inside) 90 10.100.0.3 netmask 255.255.255.0
global (outside) 10 interface
global (outside) 91 x.x.x.179
global (outside) 92 x.x.x.181
global (outside) 90 x.x.x.180 netmask 255.0.0.0
global (companyname) 10 interface
global (dmz) 20 interface
nat (outside) 10 10.100.99.0 255.255.255.0
nat (companyname) 0 access-list companyname_nat0_outbound
nat (companyname) 10 10.100.0.0 255.255.255.0
nat (companyname) 10 10.100.1.0 255.255.255.0
nat (companyname) 10 10.100.2.0 255.255.255.0
nat (wifi) 0 access-list wifi_nat0_outbound
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 10.0.30.0 255.255.255.248
static (companyname,outside) tcp interface https 10.100.0.6 https netmask 255.255.255.255
static (companyname,outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255
static (companyname,outside) tcp interface 50000 10.100.0.128 3389 netmask 255.255.255.255
static (companyname,outside) tcp x.x.x.181 2001 10.100.0.26 3389 netmask 255.255.255.255
static (companyname,outside) tcp x.x.x.181 2002 10.100.0.27 3389 netmask 255.255.255.255
static (companyname,outside) tcp interface 2003 10.100.0.28 3389 netmask 255.255.255.255
static (dmz,outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255
static (companyname,companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0
static (companyname,companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group companyname_access_in in interface companyname
access-group wifi_access_in in interface wifi
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
route companyname 10.0.1.0 255.255.255.0 10.100.0.1 1
route companyname 10.100.1.0 255.255.255.0 10.100.0.1 1
route companyname 10.100.2.0 255.255.255.0 10.100.0.1 1
dynamic-access-policy-record DfltAccessPolicy
!
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer a.b.c.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.100.0.3
dns-server value 10.100.0.3
default-domain value companyname.com
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 10.100.0.3
vpn-tunnel-protocol l2tp-ipsec
group-policy securevpn internal
group-policy securevpn attributes
wins-server value 10.100.0.3 10.100.0.2
dns-server value 10.100.0.3 10.100.0.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
default-domain value companyname.com
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group COMPANYNAME_AD
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group securevpn type remote-access
tunnel-group securevpn general-attributes
address-pool clientVPNpool
authentication-server-group COMPANYNAME_AD
default-group-policy securevpn
tunnel-group securevpn ipsec-attributes
pre-shared-key *
tunnel-group securevpn ppp-attributes
authentication ms-chap-v2
tunnel-group a.b.c.1 type ipsec-l2l
tunnel-group a.b.c.1 ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
02-17-2012 05:00 PM
Are you sure that static-config does not make it to the running config ?
By applying that 'big static' you are essentially trying to forward ports that already have been forwarded by the rules in your existing config. That is what the warning says: what you are trying to do has some overlap with existing statics.
(Sorry for using the word forwarding, but this problem makes more sense if you look at it that way; even though 'port forwarding' is not Cisco-terminology.)
But... everytime I came accross this issue, the warning was just that: a WARNING, not an ERROR. And all just works like I want it to work: the specific statics in my existing config simply take precedence over the big static.
If you would try to do it the other way round you would get an error (first the big static, and then try to apply more specific ones) and the config is not applied.
So could you confirm the config really is not accepted ?
02-17-2012 05:00 PM
Are you sure that static-config does not make it to the running config ?
By applying that 'big static' you are essentially trying to forward ports that already have been forwarded by the rules in your existing config. That is what the warning says: what you are trying to do has some overlap with existing statics.
(Sorry for using the word forwarding, but this problem makes more sense if you look at it that way; even though 'port forwarding' is not Cisco-terminology.)
But... everytime I came accross this issue, the warning was just that: a WARNING, not an ERROR. And all just works like I want it to work: the specific statics in my existing config simply take precedence over the big static.
If you would try to do it the other way round you would get an error (first the big static, and then try to apply more specific ones) and the config is not applied.
So could you confirm the config really is not accepted ?
02-20-2012 09:17 AM
You're absolutely right. It's not pretty (I don't like warnings on production environments), but tests shows that it works. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide