cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
0
Helpful
23
Replies
Highlighted
Beginner

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi,

I have VPN tunnel between Site A and Site B which are both on the same lan.

Site A has a inside lan of 192.168.0.0/24 and a DMZ of 10.0.0.0/24

Site B has a inside lan of 192.168.0.0/24

I have the vpn setup to communcaite with the Site A DMZ and Site B Inside.

Both tunnels are up but I'm unable to ping the other sight and vice versa. Also from the DMZ when I ping the 192.168.0.0/24 range the ping timesout, I guess this is becuase the ping is sent to the inside line of site A. Also the DMZ is of a secuity level of 50 and the inside lan of site A of securtiy level 0.

Is there any way of making this work?

Thanks

23 REPLIES 23
Highlighted

John,

The command will get executed as soon as any traffic with a src or 192.168.0.0/24 hits the outside interface, or with a destination of 192.168.200.* hits the Outside interface from the DMZ. Only when any traffic matches the destination or src of the nat statement is encountered will the NAT start its work..

HTH

Cheers

Arun

Highlighted

Hi Arun,

If this is the case then this will not work for me, because on my inside I have a 192.168.0.0/24 range which connects to the internet but is natted to PAT. Therefore I cannot have traffic which is generated from the inside being natted to a 200.0 address when it hits the outisde. Traffic from my inside should be natted with PAT. Only traffic from DMZ should apply this nat rule and any traffic which comes from the outside i.e. VPN should then be directed via the Nat rule to the DMZ?

Sorry, but does this make sence?

Highlighted

Hi,

You just follow the below url and I think it will resolved the issue.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Highlighted

Get the other party to NAT on their end. See if they an do that :)

Highlighted

John,

It will work because your 192.168.0.0 from Inside zone is patted, I believe to Outside interface. Traffic from DMZ will only get natted if it hits 192.168.200.0 on the Outside interface(not on Inside interface). So you do not have to worry about the traffic being affected as it comes out from the Inside interface.

The concept basically is this:

If the flow of traffic in ASA or for any router for that matter is from Inside zone to Outside zone, traffic gets routed first and then NAtted, since the appliance has to first identify through which interface it has got to pass, as NAT commands are interface specific. But when traffic comes from the outside, it gets first Natted and then routed.

When 192.168.0.0 comes to the Outside zone from the Inside zone(due to the connected route on ASA), the traffic gets a PAT the Outside interface and it is able to access  the Internet.

When traffic from DMZ gets routed to 192.168.200.0( as routing happens first before getting NAtted), NAT will happen for only that traffic which is having its destination as 192.168.200.0( and as traffic from inside interface matches the longer route of 0.0.0.0 0.0.0.0, it wont come under this static nat statement's jurisdiction, and hence, will not be affected).

HTH

Cheers

Arun

Highlighted

Thank you very much.

It is much more clearer.

I also have VPN users which VPN to the ASA and access the inside and DMZ will this static cmd affect them?

Highlighted

John,

No it wont affect them.

Cheers

Arun

Highlighted

Hello John,

I'm sorry I didn’t get to his over the weekend.

What Arun has told you is correct. The translation I suggested will not affect the communication that is currently happening between your DMZ and Inside interfaces.

It won't affect either the traffic from the Inside to the Internet. This is only for the Site-to-Site tunnel to work with the overlapping situation you have.

The VPN users won't be affected as long as they are not coming as part of the 192.168.0.0/24 network.

Finally, you don't need to add any route statements for the communication between your internal 10.0.0.0/24 and 192.168.0.0/24 networks. Since those are directly connected to the DMZ and Inside interface respectively the ASA will handle the Routing without the need for the route command.

After adding the static command that I suggested, if you need to access the Inside network from your DMZ you can do that with no problem, just as you have been doing it so far. And if you need to access the remote network across the tunnel, just keep in mind you will need to point the connection to a 192.168.200.0/24 address. And there is no need for you to modify the interesting traffic definition (crypto map acl) from the way it is defined right now.

If you have any other doubts just let me know.

Highlighted

Hello John,

I'm sorry I didn’t get to his over the weekend.

What  Arun has told you is correct. The translation I suggested will not  affect the communication that is currently happening between your DMZ  and Inside interfaces.

It  won't affect either the traffic from the Inside to the Internet. This  is only for the Site-to-Site tunnel to work with the overlapping  situation you have.

The VPN users won't be affected as long as they are not coming as part of the 192.168.0.0/24 network.

Finally,  you don't need to add any route statements for the communication  between your internal 10.0.0.0/24 and 192.168.0.0/24 networks. Since  those are directly connected to the DMZ and Inside interface  respectively the ASA will handle the Routing without the need for the  route command.

After  adding the static command that I suggested, if you need to access the  Inside network from your DMZ you can do that with no problem, just as  you have been doing it so far. And if you need to access the remote  network across the tunnel, just keep in mind you will need to point the  connection to a 192.168.200.0/24 address. And there is no need for you  to modify the interesting traffic definition (crypto map acl) from the  way it is defined right now.

If you have any other doubts just let me know.

Content for Community-Ad