Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
0
Helpful
23
Replies

Site to Site VPN on same LAN address subnet - Cannot communicate

Go to solution
John Peterson
Level 1
Level 1

‎11-04-2011 09:46 AM

Hi,

I have VPN tunnel between Site A and Site B which are both on the same lan.

Site A has a inside lan of 192.168.0.0/24 and a DMZ of 10.0.0.0/24

Site B has a inside lan of 192.168.0.0/24

I have the vpn setup to communcaite with the Site A DMZ and Site B Inside.

Both tunnels are up but I'm unable to ping the other sight and vice versa. Also from the DMZ when I ping the 192.168.0.0/24 range the ping timesout, I guess this is becuase the ping is sent to the inside line of site A. Also the DMZ is of a secuity level of 50 and the inside lan of site A of securtiy level 0.

Is there any way of making this work?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
danmoren
Level 1
Level 1
In response to John Peterson

‎11-04-2011 12:20 PM

John,

That could be a solution.

If they NAT their network to their Outside IP address this will work, but a little bit different from a regular tunnel.

If they NAT their entiner 192.168.0.0/24 network to the Outside IP of the Juniper box, then the will be get established and they will be able to send traffic and access your network with no problem. However you won't be able to send (initiate) traffic to their side, because their internal network is hidden behind the Outside IP address. That kind if translation is called PAT.

If you need full two-way comunication across the tunnel you need to ask them to translate their network in a one-to-one translation basis, so that they can access you and you can access them.

The other solution is to translate their network in your ASA. You can do the following:

static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0

With those lines in place, the tunnel configuration will remain the same, no changes are required there. But when you need to access their network you should point traffic to the 192.168.200.0/24 address, not the original 192.168.0.0/24.

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10.

Why don't you give this a shot and let me know the results?

View solution in original post

0 Helpful
23 Replies 23

Go to solution
danmoren
Level 1
Level 1

‎11-04-2011 10:05 AM

Hello John,

This is a known issue with overlapping networks.

Even though you are trying to comunicate between 10.0.0.0/24 (Side A) and 192.168.0.0/24 (Site B) and those are different networks, Site A also has a 192.168.0.0/24 network and that will cause routing issues. The Site A will treat all traffic to 192.168.0.0/24 as local traffic, even though you want it to send that traffic across the tunnel.

The way to fix this problem is to create a translation for the 192.168.0.0/24 coming from Site B.

Before going any further. Do you manage both sites? Do you have access to Site A and Site B VPN devices?

Are both devices ASA's? What are the versions those devices are running?

We need to have this information at least, so that I can give you the right directions.

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to danmoren

‎11-04-2011 11:57 AM

Thanks Daniel,

I only manage the site A, but I can contact the other party to make changes.

Site A has a 5510 and the other site is using Juniper.

I think, not sure but Site A is using 8.2.

Would you say that I should ask SIte B to Nat to their outside interface? Therefore my destination would be their outside IP address?

Thanks

0 Helpful

Go to solution
danmoren
Level 1
Level 1
In response to John Peterson

‎11-04-2011 12:20 PM

John,

That could be a solution.

If they NAT their network to their Outside IP address this will work, but a little bit different from a regular tunnel.

If they NAT their entiner 192.168.0.0/24 network to the Outside IP of the Juniper box, then the will be get established and they will be able to send traffic and access your network with no problem. However you won't be able to send (initiate) traffic to their side, because their internal network is hidden behind the Outside IP address. That kind if translation is called PAT.

If you need full two-way comunication across the tunnel you need to ask them to translate their network in a one-to-one translation basis, so that they can access you and you can access them.

The other solution is to translate their network in your ASA. You can do the following:

static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0

With those lines in place, the tunnel configuration will remain the same, no changes are required there. But when you need to access their network you should point traffic to the 192.168.200.0/24 address, not the original 192.168.0.0/24.

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10.

Why don't you give this a shot and let me know the results?

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to danmoren

‎11-04-2011 12:24 PM

Thanks Daniel,

I'll give this a go and let you by Sunday evening UK time.

Thanks

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to danmoren

‎11-04-2011 05:29 PM

Hi,

I'm not able to use the static nat as I have devices which communicate on the inside 192.168.0.0/24 to the 10.0.0.0/24 range in Site A.

Any suggestions please?

0 Helpful

Go to solution
Arun Nair
Level 1
Level 1
In response to John Peterson

‎11-05-2011 05:57 AM

Hi John,

Daniel has suggested to NAT your subnet to 192.168.200.0 subnet when you try to get the traffic to go through the tunnel.

For the 192.168.0.0/24 subnet, why dont you give a long matched reverse route towards the inside zone and I believe this should solve your problem.

Please let me know if there are any challenges in implementing this.

Cheers

Arun.

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to Arun Nair

‎11-05-2011 06:37 AM

Hi Arun,

How would I implement the long matched reverse route?

Thanks.

0 Helpful

Go to solution
Arun Nair
Level 1
Level 1
In response to John Peterson

‎11-05-2011 06:42 AM

Hi John,

Lets say in DMZ zone you already have a specific route pointing to 192.168.200.0/24, i.e. the locally significant subnet for NAT.

Now you just need to give a route in DMZ pointing towards Inside zone saying that whatever replies are to be sent to 192.168.0.0/16 series, just forward it to the Inside zone, whereas the 200.0/24 subnet will take care of the tunnel traffic.

If I am right:

route Inside 192.168.0.0 255.255.0.0 {next hop in the Inside subnet}.

I believe you already have the routing from Inside to DMZ zone, so the above line of command should do the job.

Cheers

Arun.

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to Arun Nair

‎11-05-2011 03:53 PM

From my understanding would I need the route cmd in there as when I do a show route the inside is directly connected therefore it would forward the traffic straight out?

Can someones please explain to me what this commands does, static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0 ?

Thanks

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to John Peterson

‎11-06-2011 05:36 AM

Looking at the static commands I guess the outside ip is 0.0 and the inside is 200.0? Its the other way round.

0 Helpful

Go to solution
Arun Nair
Level 1
Level 1
In response to John Peterson

‎11-06-2011 06:13 AM

John,

The NAT command specified above by you actually says:

1. Direction of NAT is from Outside to DMZ\

2. The subnet of 192.168.0.0 is natted to 192.168.200.0(you might be getting confused here, thinking why this is the other way around. Well that is the way ASA command has been formulated .) So basically, NAT zones and the subnets mirror each other.

Hope that helps.

Cheers

Arun.

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to John Peterson

‎11-06-2011 07:49 AM

I thought the Nat was from dmz to outside translating the up from 200.0 to 0.0?

Also where would static cmd be excuted between what event of the packet being sent and being received?

Thank you.

0 Helpful

Go to solution
Arun Nair
Level 1
Level 1
In response to John Peterson

‎11-06-2011 08:22 AM

John,

If you see, the nat direction, although from outside to dmz, works both ways, since it is a static nat. Traffic originating from remote end will get natted to 200.0(192.168.0.10 gets natted to 192.168.200.10) and traffic from dmz to remote end will get natted to 192.168.0.0 too.

This is what Daniel meant when he quoted: "

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10."

0 Helpful

Go to solution
John Peterson
Level 1
Level 1
In response to Arun Nair

‎11-06-2011 10:35 AM

Thank you very much.

I wanted to know at which stage would the cmd be excuted, is it at the last stage when traffic is sent and the first when it returns?

0 Helpful
Customers Also Viewed These Support Documents