Solved: Hi k.shtrykov,The traffic

k.shtrykov · ‎07-24-2015

Hi!

There two offices (as an example, in reality an unlimited number of them). One of them is mine, but the infrastructure of the other one is the property of other company, and accordingly is administrated by the other person.
On both sides there is Cisco ASA. The task is to up VPN connection to enable the access to some services of my network to the other company (for example HTTP on one of my servers) via an encrypted channel.
The task looks simple, but I can face a situation when internal networks have the same network addresses.
I would like to resolve this issue with the help of NAT, but can't find the possibility to do it in Cisco ASA only.
I imagined this as in attached picture.

Dinesh Moudgil · ‎07-25-2015

Here is a document that you can follow to configure L2L VPNs for overlapping networks:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Karsten Iwen · ‎07-24-2015

This can be easily done:

On the main ASA, configure static NAT for the internal server to the 172-public IP. The tunnel is then built for the 172-addresses. Of course the other ASA also has to "hide" their own addresses behind unused addresses. If the left server would see the original source-address of the right client, the answer-packet would be routed internally.

k.shtrykov · ‎07-24-2015

Thank you, but I have no idea how I can specify 172-address for VPN connections in ASA. I have no Tunnel interfaces, only tunnel-groups. Can you set an config example for two Cisco ASA, VPN and NAT?

Dinesh Moudgil · ‎07-28-2015

Hi k.shtrykov,
The traffic that is sent over VPN tunnel is configured in cryypto access-list which is part of crypto map rather than tunnel-group.
Try following the above mentioned document and the given below and it should address your queries:-

http://packetpushers.net/how-to-build-an-ipsec-vpn-with-cisco-asas-overlapping-address-space/

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Dinesh Moudgil · ‎07-25-2015

Here is a document that you can follow to configure L2L VPNs for overlapping networks:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

k.shtrykov · ‎07-29-2015

Thank you very-very much :) This solution works greatly, but I have last problem: I can't publish only one service/port, whole host only. In manual that you provided me, author uses old sintax (for versions lower then 8.4). AFAIU, I can publish whole host with

nat (inside,outside) source static obj-host-ip obj-ext-nat-ip destination static obj-nat-ip-of-other-side obj-nat-ip-of-other-side

But I can't understand, how I can publish only one service from host with new syntax.

Dinesh Moudgil · ‎07-29-2015

Hi k.shtrykov,

It is recommended that you use IP based access-list in the crypto maps.
You can configure VPN filters to restrict the traffic based on the ports.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Two Cisco ASA and tricky S2S (ASA2ASA)