cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
959
Views
0
Helpful
6
Replies

Overlapping VPN

manoj4783
Level 1
Level 1

Hi,

Having a doubts in Site to site VPN,

I have 3 customer, cust1--- cust2 ---- cust3,

the private ip address is ,

Cust1 ---- 10.2.2.0 (PIX)

Cust2 ---- 10.10.10.0 (Checkpoing Nokia)

Cust3 ---- 10.2.2.0 (ASA)

connectivity is Cust1 ---- Cust2 ---- Cust3

| | |

10.2.2.0 10.10.10.0 10.2.2.0

I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip address range. So, when establishing a VPN tunnel in Cust2 with cust2 to cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0 series range.

HEre is the config what i have done in the pix(Cust1)

static (inside,outside) 10.2.3.0 access-list TICTAC

access-list TICTAC permit ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto ACL:

access-list crypto permit ip 10.2.3.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

show run | i global|nat|access-list

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I am able to ping the cust2 private ip range through VPN, but unable to browse the internet in cust1

Note: Each cust having an individual internet.

Can anyone help me out. is there anything am missing

Regards,

Manoj

6 Replies 6

auraza
Cisco Employee
Cisco Employee

I would remove the nonat you have configured on the inside for the traffic that is going through. You want to nat the traffic as specified by your static.

PS. If you found this post helpful, please rate it.

Had Remove the nonat statement, nothing is happening:-(

Manoj you need to go step by step then. Figure out what is going on with the packet.

1) What is the packet source, and where is it destined?

2) When it hits the ASA's inside interface, does it hit any ACLs?

3) If no ACLs where does routing say it should go? Outside interface or another interface?

4) Is the packet supposed to be NAT'd? If yes, then are the NAT statements correct?

5) If its supposed to be encrypted after the NAT, are the crypto acl's correct and is crypto applied to the interface that the packet is supposed to be going out of.

6) What do the logs show?

Hello,

Any luch with your scenario; I ve the same problem and no sollution yet.

What I want to know if a packet reaches the router which is gonna be first? The NAT operation or it will get tunneled?

Regards,

Florin.

Nat will happen first. Why don't you post up more info about your problem...

Hi,

I have an ASA firewall tunneling it's behind 192.168.10.0/24 to a Checkpoint NGX. The trouble is that 192.168.10.0 already exists behind Checkpoint as a connected network.

Nevertheless my VPN has to connect 192.168.10.0/24 with 192.168.16.0/24.

So I concluded NAT is needed only on ASA side, right?

The VPN got up immediately, still I don't have connectivity between sites.

I attached the specific config on ASA; please mention show crypto ipsec sa shows only decrypted packages but no encrypted ones!

What have I missed?

Regards,

Florin.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: