Solved: Re: PIX ASA site to site with overlapping

argnetworking · ‎08-17-2010

I have to establish a site to site VPN but we have overlapping networks. The hardware on my side is a PIX515e 8.0(4) with ASDM 6.1. On the other side they have a PIX520 with 6.3 (I don’t manage this one)

The overlapping network is 10.1.0.0/16. On my side we have several networks, 10.1.0.0/16, 10.191.0.0/16,172.20.0.0/16 and others. I have attached a basic diagram.

The Pix is on the 10.191.0.0/16 network, the inside is 10.191.48.27. Clients from my side have to access (from any network) servers on the other side.

I know I have to do NAT, my idea is to use on my side 172.25.16.0/24 and send the traffic to 172.26.16.0/24 (the NAT on the other side). What are the different possibilities?.

Now, how can I configure this??, is it possible to do it from the ASDM?

I would appreciate any help, and thanks a lot in advance.

Gonzalo

JORGE RODRIGUEZ · ‎08-18-2010

Hello Gonzalo,

The access list you created like in link example that is the acl applied to the crypto map which defines the (interresting traffic) or traffic to be encrypted or your encryption domain , that crypto map is then applied to the outside interface or whichever interface name you have defined for your VPN termination point interface .

So if you look at the example link provided previously you see that ASA-1 has the following such as this bellow:

ASA-1

"access-list new extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0"

if you scroll down to crypto map section you will see that the crytpo map uses this acl name called (new) for the interesting traffic .

" crypto map outside_map 20 match address new"

consequently, the crypto map is applied to outside interface such as bellow statement

"crypto map outside_map interface outside "

Just follow that good link example , your tunnel should work.

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎08-19-2010

Hi Gonzalo,

Glad you have the VPN working, Im not clear what you mean by ACL applied to other interfaces, treat the VPN tunnel acls as unique acls for traffic between site A and site B,if you need to permit more networks that do not overlap with other LANS off your other interfaces you can permit the traffic by doing additional configs on the cryto acls for this tunnel and nonat rule if this is what you are refering to, or is it that you need management access to site B firewall?

Existing ACLs applied to other interfaces in your asa has nothing to do with your existing tunnel, again, unless you want to permit traffic to those networks for this tunnel that are on other asa interfaces you can work with your current crypto acl and policy na acl if still are other overlapping LANs or nonat acl if non-overlapping lans , am I understanding you correctly?

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎08-17-2010

Gonzalo,

You can start with this link, you can do it in asdm but better in cli as it is better understood this way.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Regards

Jorge Rodriguez

argnetworking · ‎08-18-2010

Thanks for the info.

Now I have another question, what access list do apply to the traffic that goes trough the VPN?, let stay I allow to travel all the traffic (interesting traffic) between the two sites. Is there a way to apply an access list to this traffic? I don’t know, maybe the outside ACL is applied to this traffic?

JORGE RODRIGUEZ · ‎08-18-2010

Hello Gonzalo,

The access list you created like in link example that is the acl applied to the crypto map which defines the (interresting traffic) or traffic to be encrypted or your encryption domain , that crypto map is then applied to the outside interface or whichever interface name you have defined for your VPN termination point interface .

So if you look at the example link provided previously you see that ASA-1 has the following such as this bellow:

ASA-1

"access-list new extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0"

if you scroll down to crypto map section you will see that the crytpo map uses this acl name called (new) for the interesting traffic .

" crypto map outside_map 20 match address new"

consequently, the crypto map is applied to outside interface such as bellow statement

"crypto map outside_map interface outside "

Just follow that good link example , your tunnel should work.

Regards

Jorge Rodriguez

argnetworking · ‎08-19-2010

I did the VPN and is working fine, I did it both ways, so traffic from any side can go to the other side.

The thing is how can I apply an ACL to the traffic comming from the other site.

Let say I manage site A, I dont have management of site B. We have a VPN both ways. And I want to apply an ACL to the traffic comming from site B. The only ACL I have is the one that applies to the crypto map?, what about the ACL applied to the interfaces?

Thanks for your help,

regards

Gonzalo

JORGE RODRIGUEZ · ‎08-19-2010

Hi Gonzalo,

Glad you have the VPN working, Im not clear what you mean by ACL applied to other interfaces, treat the VPN tunnel acls as unique acls for traffic between site A and site B,if you need to permit more networks that do not overlap with other LANS off your other interfaces you can permit the traffic by doing additional configs on the cryto acls for this tunnel and nonat rule if this is what you are refering to, or is it that you need management access to site B firewall?

Existing ACLs applied to other interfaces in your asa has nothing to do with your existing tunnel, again, unless you want to permit traffic to those networks for this tunnel that are on other asa interfaces you can work with your current crypto acl and policy na acl if still are other overlapping LANs or nonat acl if non-overlapping lans , am I understanding you correctly?

Regards

Jorge Rodriguez

argnetworking · ‎08-22-2010

Thanks Jorge, everything is working.