Solved: I don't see a way around this

kevin.waddell · ‎05-10-2014

Hi all,

This is my first post, and the first time I've been so stumped that I need to reach out to you wonderful folks. I just can't seem to find any answers to my problem on this forum, or anywhere else. I'm hoping someone can guide me in the right direction.
I have two vendors who connect to my ASA (9.1) over IPSec VPN, who both have IP addresses in the same network. One has the entire 192.168.0.0/22 network in their crypto map, while the other only has a single host in the same network; 192.168.0.156. They both need to access the same local network, but it doesn't seem to be working.
I can't get either vendor to NAT their subnet or IP's on their end, so I have to deal with this on my side.
When configuring the tunnels in ASDM I recieve the warning: "The protected traffic overlaps with that of the connection profile to x.x.x.x. This can cause traffic initiated from the local network, which is intended to go through y.y.y.y, to go through x.x.x.x"
Does anyone know how to get around this? I'm thinking I can maybe NAT the single IP from the one vendor, but I'm not quite sure how to do that, and if it will actually solve anything. I tried a few different things with NAT, but I still can't get it to work. I may be barking up the wrong tree because, based on the error I receive, it looks like the local subnet that they both access is the problem, and not the remote networks themselves. But I could be wrong, because I'm kinda new to this, so I could be out to lunch.
Simply:
192.168.0.0/22 --> 172.17.4.0
192.168.0.156/32 -->172.17.4.0

Can anyone provide any insight?
I can provide any further info if necessary.

Thanks!

kevin_giusti · ‎05-13-2014

I don't see a way around this without doing NAT of some sort. If your vendor has a spare public IP that would be easiest. Otherwise you can NAT to a private IP (you just need to make sure routing is correct on both sides)

Ex.

This is assuming that you have to build a VPN tunnel and both internal networks are 192.168.1.X/24.
Assuming that 40.40.40.2 is an available public IP a similar configuration can be done and 50.50.50.1 is the far side of the VPN tunnel.

interface GigabitEthernet0
nameif outside
security-level 0
ip address 40.40.40.1 255.255.255.0

interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

object network local_host
host 192.168.1.10

object network local_host_nat
host 40.40.40.2

access-list vpn extended permit ip host 40.40.40.2 host 50.50.50.2

nat (inside,outside) source static local_host local_host_nat

crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 50.50.50.1
crypto map vpn 10 set ikev1 transform-set aes-256-sha

crypto map vpn interface outside
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
ikev1 pre-shared-key MyKey

Thanks,

Kevin

View solution in original post

kevin_giusti · ‎05-13-2014