Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
1
Replies

VPN Client to 2811 with overlapping networks

sean6605
Level 1
Level 1

‎10-10-2015 11:26 AM

Hi.

I am having no luck in getting a VPN client to access my internal network.

I have a client who requires access to the company internal resources and the issue I have is that the clients internal network is identical to mine (172.16.1.0/24). I have have VPN configured and it all works successfully on all of the other clients but the one due to the overlapping networks.

I looked through the discussions and saw that I should be using NAT to convert my internal network to some other address to resolve the conflict but I've tried and seem to be missing a piece here somewhere so I am looking for any assistance.

I only have one static IP address right now as well and I am using NAT overload and static NAT to access web server and such.

The internal network is 172.16.1.0/24 for the client and my company

The external address is 1.2.3.4 (hidden to save the innocent)

Cisco router is 2811 running version 15.1.

 

What I have done is create two VPN crypto's (one for regular client one for overlapping)

regular pool 172.16.10.61 172.16.10.79

overlapping pool 172.16.9.61 172.16.9.79

Wanted to convert 172.16.1.0/24 to 10.10.10.0/24 and match the host address.

 

here is the configuration I am trying to use

Any help would be appreciated.

service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
hostname VPNTEST
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius IAS
 server 172.16.1.11 auth-port 1812 acct-port 1813
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local group IAS
aaa authorization exec ciscocp_vpn_group_ml_1 local group IAS if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
no network-clock-participate wic 0
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip name-server 172.16.1.10
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp router-traffic
ip inspect name CCP_LOW vdolive
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice service voip
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-529069381
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-529069381
 revocation-check none
!
!
!
!
!
redundancy
!
!
controller T1 0/0/0
!
controller T1 0/0/1
!
ip tftp source-interface FastEthernet0/1.1
!
crypto logging session
crypto logging ezvpn
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNCLIENTS
 key XXXXXXXXXX
 dns 172.16.1.11
 wins 172.16.1.11
 domain viking.lan
 pool SDM_POOL_1
 acl 116
 max-users 10
 netmask 255.255.255.0
!
crypto isakmp client configuration group VPNOVERLAP
 key XXXXXXXXXX
 dns 172.16.1.11
 wins 172.16.1.11
 domain viking.lan
 pool SDM_POOL_2
 acl 117
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 3600
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address 1.2.3.4 255.255.255.252
 ip access-group 103 in
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CCP_LOW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 description $FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 172.16.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
!
!
ip local pool SDM_POOL_1 172.16.10.61 172.16.10.79
ip local pool SDM_POOL_2 172.16.9.61 172.16.9.79
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat pool NATVPN 10.10.10.1 10.10.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list 120 pool NATVPN
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.1.19 443 1.2.3.4 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.19 1433 1.2.3.4 1433 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.19 8082 1.2.3.4 8082 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.40 80 1.2.3.4 40001 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.41 80 1.2.3.4 40002 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.42 80 1.2.3.4 40003 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.43 80 1.2.3.4 40004 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.44 80 1.2.3.4 40005 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.45 80 1.2.3.4 40006 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.46 80 1.2.3.4 40007 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.49 41001 1.2.3.4 41001 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.49 42001 1.2.3.4 42001 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 172.16.1.49 42002 1.2.3.4 42002 route-map SDM_RMAP_1 extendable
ip route 0.0.0.0 0.0.0.0 1.2.3.5
!
!
!
ip radius source-interface FastEthernet0/1.1
logging esm config
logging source-interface FastEthernet0/1.1
logging 172.16.1.15
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.3.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 172.16.4.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 deny   ip 172.16.1.0 0.0.0.255 any
access-list 103 remark HTTPS ACCESS
access-list 103 permit tcp any any eq 443
access-list 103 remark SQL ACCESS
access-list 103 permit tcp host 108.60.140.186 any eq 1433
access-list 103 permit tcp host 69.25.143.33 any eq 1433
access-list 103 permit tcp host 69.25.143.34 any eq 1433
access-list 103 permit tcp host 173.48.214.17 any eq 1433
access-list 103 permit tcp 71.183.217.128 0.0.0.63 any eq 1433
access-list 103 deny   ip any any log
access-list 105 remark CCP_ACL Category=2
access-list 105 deny   ip 172.16.0.0 0.0.7.255 172.16.10.0 0.0.0.255
access-list 105 deny   ip 172.16.0.0 0.0.7.255 172.16.11.0 0.0.0.255
access-list 105 deny   ip 172.16.0.0 0.0.7.255 172.16.12.0 0.0.0.255
access-list 105 deny   ip 172.16.0.0 0.0.7.255 172.16.9.0 0.0.0.255
access-list 105 permit ip 172.16.2.0 0.0.0.255 any
access-list 105 permit ip 172.16.1.0 0.0.0.255 any
access-list 105 permit ip 172.16.3.0 0.0.0.255 any
access-list 105 permit ip 172.16.4.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 permit ip 172.16.0.0 0.0.7.255 any
access-list 116 remark VPN Connectivity
access-list 116 permit ip 172.16.0.0 0.0.255.255 any
access-list 117 remark VPN ALL ROUTES
access-list 117 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 172.16.1.0 0.0.0.255 172.16.9.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
privilege exec level 1 show configuration
privilege exec level 1 show
banner login ^CCThis router is for authorized personnel only^C
!
end

Labels:
0 Helpful
1 Reply 1

sean6605
Level 1
Level 1

‎01-13-2016 11:10 AM

No solution to date

0 Helpful
Customers Also Viewed These Support Documents