cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3215
Views
0
Helpful
2
Replies

LAN-to-LAN IPsec VPN with Overlapping Networks problem

I'm trying to connect two operlapping networks via IPsec. I've already Googled and read

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Details:

Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.

Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.

According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:

static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound

which results in:

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255

Those are port redirects on Site_A used for mail, webmail, etc. What should I do to keep this redirects from the Internet to companyname vlan and in the same time have working l2l ipsec tunnel connecting overlapping networks?

Thank you in advance for any help or hint.

Snippet of ASA's config below:

!

ASA Version 8.0(4)32

!

no names

name 10.25.0.0 siteB-fake-network description Fake NAT network to avoid ip overlapping

name 10.26.0.0 siteA-fake-network description Fake NAT network to avoid ip overlapping

!

interface Ethernet0/0

shutdown

nameif inside

security-level 100

ip address 10.200.32.254 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.10

vlan 10

nameif companyname

security-level 100

ip address 10.100.0.254 255.255.255.0

!

interface Ethernet0/2.20

vlan 20

nameif wifi

security-level 100

ip address 10.0.0.1 255.255.255.240

!

interface Ethernet0/2.30

vlan 30

nameif dmz

security-level 50

ip address 10.0.30.1 255.255.255.248

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.100.100.1 255.255.255.0

management-only

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Inside-Network

network-object 10.100.0.0 255.255.255.0

network-object 10.100.1.0 255.255.255.0

network-object 10.100.2.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

object-group service DM_INLINE_TCP_5 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_1

service-object tcp eq domain

service-object udp eq domain

object-group service DM_INLINE_TCP_6 tcp

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

object-group network DM_INLINE_NETWORK_1

network-object 10.100.0.0 255.255.255.0

network-object 10.100.2.0 255.255.255.0

access-list securevpn_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host x.x.x.178 eq 50000

access-list outside_access_in extended permit tcp any host x.x.x.178 eq smtp

access-list outside_access_in extended permit tcp any host x.x.x.178 eq https

access-list outside_access_in extended permit tcp any host x.x.x.179 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp

access-list outside_access_in extended permit tcp any