I'm trying to connect two operlapping networks via IPsec. I've already Googled and read
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Details:
Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.
Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound
which results in:
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255
Those are port redirects on Site_A used for mail, webmail, etc. What should I do to keep this redirects from the Internet to companyname vlan and in the same time have working l2l ipsec tunnel connecting overlapping networks?
Thank you in advance for any help or hint.
Snippet of ASA's config below:
!
ASA Version 8.0(4)32
!
no names
name 10.25.0.0 siteB-fake-network description Fake NAT network to avoid ip overlapping
name 10.26.0.0 siteA-fake-network description Fake NAT network to avoid ip overlapping
!
interface Ethernet0/0
shutdown
nameif inside
security-level 100
ip address 10.200.32.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.10
vlan 10
nameif companyname
security-level 100
ip address 10.100.0.254 255.255.255.0
!
interface Ethernet0/2.20
vlan 20
nameif wifi
security-level 100
ip address 10.0.0.1 255.255.255.240
!
interface Ethernet0/2.30
vlan 30
nameif dmz
security-level 50
ip address 10.0.30.1 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.100.100.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Inside-Network
network-object 10.100.0.0 255.255.255.0
network-object 10.100.1.0 255.255.255.0
network-object 10.100.2.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
object-group service DM_INLINE_TCP_5 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_6 tcp
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
object-group network DM_INLINE_NETWORK_1
network-object 10.100.0.0 255.255.255.0
network-object 10.100.2.0 255.255.255.0
access-list securevpn_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host x.x.x.178 eq 50000
access-list outside_access_in extended permit tcp any host x.x.x.178 eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.178 eq https
access-list outside_access_in extended permit tcp any host x.x.x.179 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp
access-list outside_access_in extended permit tcp any