Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
4
Replies

Remote SSL VPV Overlapping

RexPr
Level 1
Level 1

‎08-07-2018 06:24 AM

I've configured a remote SSL VPN on Cisco ASA (9.2).
The local network is 192.168.1.0/24. The server I want to reach is 192.168.1.5. The VPN IP pools are on 192.168.40.0/24 network.
On the remote site, I've one ADSL connection with internal IP 192.168.1.0/24, so I've overlapping my local network and I cannot change remote IP.


Immagine.pngI've seen some example for NAT in order to avoid overlap, but all for site-to-site VPN, and I'm not confident how to do with remote VPN client.

Can I have one help?

Thanks,
Fabrizio

 

 

Fabrizio www.rfc.it
Labels:
0 Helpful
4 Replies 4

Jerome BERTHIER
Level 1
Level 1

‎08-07-2018 06:42 AM

Hi

 

Is it the only server that you need to reach over the VPN ?

 

If yes, you might try to inject a route 192.168.1.5/32 into the split tunneling.

It will be more precise than the connected route of your local network behind the ADSL connection. So, the laptop should prefer this route over the VPN interface.

 

If not, NAT is the answer but I never tried.

 

 

Regards

 

Jérôme

0 Helpful

RexPr
Level 1
Level 1
In response to Jerome BERTHIER

‎08-07-2018 10:52 AM

>>> If yes, you might try to inject a route 192.168.1.5/32 into the split tunneling.

No is not the only server, so I'm looking for  nat suggestion

 

>>> push a default route out to the client that routes all across the clients VPN interface in the 192.168.40.x range

If I put 192.168.40.x as default route I have to remove split tunnel and move remote traffic through ASA, not a good solution for my purpose.

 

Thanks,

Fabrizio

Fabrizio www.rfc.it
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to RexPr

‎08-07-2018 08:01 PM

NAT option is straight forward, just configure static nat in,out and
include the natted subnet in your split tunneling ACL (not the original
subnet).

But the overlap shouldn't be a problem unless you have local lan access
enabled. By default this option is controllable by user. Once you turn it
off, if LAN traffic overlaps with split-acl the traffic will go over
tunnel.
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎08-07-2018 06:43 AM

push a default route out to the client that routes all across the clients VPN interface in the 192.168.40.x range.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents