06-07-2012 10:40 AM
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
Solved! Go to Solution.
 
					
				
		
06-15-2012 06:20 AM
Your NONAT ACL overlaps with the static policy NAT and NONAT takes precedence over static policy NAT, that's why it's not working.
Please kindly remove the following:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0
 
					
				
		
06-07-2012 07:09 PM
You can configure static policy NAT for that customer.
Eg:
VPN Client pool is 192.168.1.0/24
Local LAN is 10.10.10.0/24 which overlaps with customer's network
What you would need to configure is to statically NAT your local LAN to a unique subnet (say 10.20.20.0/24) when traffic is destined towards the VPN Client pool.
access-list nat-for-vpnclient permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient
Split tunnel needs to include 10.20.20.0/24 network, and if you have NAT exemption configured for the VPN Client, then pls remove it.
The above sample config is assuming you are running version 8.2 or lower. If you are running 8.3 or higher, let us know and we can help with the exact command.
06-08-2012 07:23 AM
My ASA is running 8.2(1), so no problems there.
The customer needs to send to my server with IP 192.168.1.76, so the above NAT will make this 10.10.10.76, right?
 
					
				
		
06-08-2012 08:27 AM
No, on the above example, 192.168.1.x is the vpn client pool.
Base on the above example, your customer needs to send to your server 10.10.10.76, and the NAT will make it 10.20.20.76. And what your customer needs to access should be 10.20.20.76.
06-08-2012 10:48 AM
Maybe best for me to be more specific.
My private LAN is 192.168.1.0/24
VPN Client Pool 1 is 192.168.250.1-192.168.250.20
VPN Client Pool 2 is 192.168.250.101-192.168.250.110
Customers private LAN is 192.168.1.0/24
The customer needs to transmit to my 192.168.1.76, a DICOM server, they are sending digital X-rays (CR).
=======
Also, I did enter the "static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient" using the ASDM command line tool, and received the following response:
WARNING: real-address conflict with existing static
TCP inside:192.168.1.75/443 to outside:66.100.102.199/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP inside:192.168.1.75/80 to outside:66.100.102.199/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP inside:192.168.1.75/8081 to outside:66.100.102.199/8081 netmask 255.255.255.255
WARNING: real-address conflict with existing static
UDP inside:192.168.1.253/16000 to outside:66.100.102.248/16000 netmask 255.255.255.255
 
					
				
		
06-08-2012 02:13 PM
The warning messages is OK, the more specific will take precedence.
The access-list should be as follows:
access-list nat-for-vpnclient permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
Once you have configured the above, "clear xlate", and test connecting the vpn client and access the DICOM server on 10.20.20.76.
 
					
				
		
06-08-2012 02:13 PM
and also, if you have split tunnel configured, pls also add the 10.20.20.0/24 subnet into your split tunnel ACL.
06-08-2012 03:01 PM
This works to the 10.20.20.76 address, but now the VPN Client does not see the 192.168.1.x network.
 
					
				
		
06-08-2012 05:38 PM
Forgot to mention earlier, if you have 192.168.1.0/24 in your split tunnel list, pls remove it. Otherwise, it will send traffic destined towards that subnet through the VPN tunnel.
Pls reconnect to the VPN tunnel after the above changes, and all should work now.
06-11-2012 09:02 AM
1. I have the following "SplitTunnel" commands in my ASA:
access-list DerrRemote_splitTunnelAcl standard permit host 192.168.1.76
access-list VPN3k_SplitTunnel_ACL remark TIC Lan
access-list VPN3k_SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0
access-list TMGtoTIC_splitTunnelAcl standard permit host 192.168.1.76
What need to be changed?
2. Can I have both the 192.168.1.0/24 and 10.20.20.0/24 destination networks for the VPN Clients or will they all change to the 10.20.20.0/24?
 
					
				
		
06-11-2012 07:03 PM
1. Which split tunnel ACl is used by the customer who needs to send data to DICOM server? That would be the ACL that you would need to change. Please check which group-policy is used by that client, and it would have the split tunnel reference in that group-policy.
2. For the client who has overlapping networks, you can't have both 192.168.1.0/24 and 10.20.20.0/24. You can't have the same subnet exist locally at the VPN Client LAN network as well as your network since they are Layer 3 hops away. That's the whole reason NAT is configured to allow access to overlap networks. If they need to access anything in your 192.168.1.0/24, just use the respective ip address in 10.20.20.0/24 subnet and they would be able to access the same host. For example: if they need access to 192.168.1.185, just access 10.20.20.185, and it would get access to 192.168.1.185 host.
06-12-2012 08:10 AM
Could I add a separate "group policy" for the 'Overlapping' sites to use and leave the other ones in place?
If this can be done, can the new group not be allowed split tunnel access?
 
					
				
		
06-12-2012 01:47 PM
You can configure a separate group-policy, and leave the other one in place. You would need to assign this group policy to the respective tunnel-group.
Well, you can't reallly disable split tunnel since there is overlapping networks, otherwise, they won't be able to access their own subnet if you disable split tunnel.
06-12-2012 02:09 PM
I created a new 'Remote Access Tunnel', a new 'Client Pool' (192.168.240.0/24), new User, and on the Client side use a new profile.
I then tested the initial setting and was able to login with the new stuff, and everything worked as expected.
Then I added and ACE in Standard ACL for 10.30.30.0/24 and can login, but can't ping anthing, not 192.168.1.x or 10.30.30.x.
 
					
				
		
06-12-2012 06:44 PM
Can you please share the config that you have just added, especially the ACL and where you applied the ACL. Thx.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide