Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
2
Replies

Site to Site vpn - WAN port is behind NAT and is same subnet as destination - help?

troyd91
Level 1
Level 1

‎04-04-2011 03:25 PM

I have 2 Cisco 871 set up to vpn in to an ASA 5510.  Everything has worked even when the 871 is behind a nat.

We use these routers to send to employees home for temporary use.

The WAN ports on the 871 are configured to pick up an IP via DHCP.

Office ASA 5510 - Public IP address

WAN - Public IP

Internal - 192.168.1.0/24

|

|

Internet

|

|

Home Router

WAN - Public IP

Internal - 192.168.1.0/24

|

|

Cisco 871 picks up 192.168.1.x on WAN port from user's home router

Internal vlan1  192.168.10.x/24

The problem is - this user's home router is using the same subnet as the internal network at the office.  Is there anyway to force traffic bound for 192.168.1.x to go over the VPN tunnel?  It does this correctly if the 871's WAN port is not also on the same subnet. The vpn tunnel does come up.  And I can ping to and from the router, it's just the clients behind the 871 that cannot ping or access the corp network.

Hopefully this made sense....  I hope someone can help me out.

Thanks

-Troy

Labels:
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎04-05-2011 03:54 AM

Troy - it's just blind bad luck that you have chosen to use the most popular IP subnet from the private address range.  Sadly so do all the home router providers......

From the routers point of view you could try PBR for the local subnet going to the 192.168.10.0/24 and give it a next hop IP of the remote end of the VPN tunnel....however this will only work if the clients on the home network have the router as the default gateway.

however I belive the 871 has a 4 port switch in it?  So just have the user connect their machine directly into it?

If I understand your issue correctly.

HTH>

0 Helpful

troyd91
Level 1
Level 1
In response to andrew.prince

‎04-05-2011 07:22 AM

Thanks for the reply Andrew.

Yes the 871 does have a 4 port switch - and that is where we are plugging into.  We have an IP phone and a laptop plugged into the switch on the 871.  Those devices pick up an IP from the 871 in the 192.168.10.0/24 range.  But it still isn't working.

I'll look into PBR.  Right now there is an ACL that allows traffic to the 192.168.1.0/24 over the VPN.  But the 871 is picking up the default gateway route from the home router that is 192.168.1.1 and sending traffic out that way instead of over the VPN.

-Troy

0 Helpful
Customers Also Viewed These Support Documents