09-11-2012 07:34 AM
Hello,
I am having an issue accessing corporate services when an IP for example of one of our servers matches an IP address of a local host from the LAN the user is accessing from.
Is there any way to work around and or resolve this?
I am using split tunnel, I am sending all DNS lookups through tunnel, and assigning the DNS name.
I inherited this network that is a 192.168.0.0/23 with a lot of the services on 192.168.1.x which easily match private local lans.
Solved! Go to Solution.
09-11-2012 08:56 AM
Hello Michael,
To solve the overlap, you will need to hide the remote network with a NAT rule, so the VPN clients point to a NATed address on the ASA.
May I know the code version of your ASA?
Thanks.
Portu.
09-11-2012 09:10 AM
Ok, thanks.
It would be something like this:
object network obj-LOCAL
subnet 192.168.1.0 255.255.255.0
!
object network obj-LOCAL_NAT_VPN
subnet 10.254.254.0 255.255.255.0
!
object network obj-VPN_Pool
subnet 192.168.10.0 255.255.255.0
!
nat (outside,inside) 1 source static obj-VPN_Pool obj-VPN_Pool destination static obj-LOCAL obj-LOCAL_NAT_VPN
In the split-ACL (if available) you include the 10.254.254.0/24 network.
The result of this configuration is that when your clients try to access the 10.254.254.0/24 across the tunnel, the ASA will translate it to 192.168.1.0/24 (which is the local network), avoiding the overlap issue.
* Please adjust the config above to your current settings.
Let me know if this is clear.
Thanks.
Portu.
Please rate any post you find useful.
09-11-2012 07:42 AM
Note this is a remote access vpn
09-11-2012 08:56 AM
Hello Michael,
To solve the overlap, you will need to hide the remote network with a NAT rule, so the VPN clients point to a NATed address on the ASA.
May I know the code version of your ASA?
Thanks.
Portu.
09-11-2012 08:58 AM
I am on version 8.4
09-11-2012 09:10 AM
Ok, thanks.
It would be something like this:
object network obj-LOCAL
subnet 192.168.1.0 255.255.255.0
!
object network obj-LOCAL_NAT_VPN
subnet 10.254.254.0 255.255.255.0
!
object network obj-VPN_Pool
subnet 192.168.10.0 255.255.255.0
!
nat (outside,inside) 1 source static obj-VPN_Pool obj-VPN_Pool destination static obj-LOCAL obj-LOCAL_NAT_VPN
In the split-ACL (if available) you include the 10.254.254.0/24 network.
The result of this configuration is that when your clients try to access the 10.254.254.0/24 across the tunnel, the ASA will translate it to 192.168.1.0/24 (which is the local network), avoiding the overlap issue.
* Please adjust the config above to your current settings.
Let me know if this is clear.
Thanks.
Portu.
Please rate any post you find useful.
09-11-2012 10:19 AM
I added the following including adding the NAT VPN network to split tunnel and it is not working:
object network exportinside_NAT_VPN
subnet 10.250.250.0 255.255.254.0
nat (outside,inside) 1 source static it_vpn it_vpn destination static exportinside exportinside_NAT_VPN
09-11-2012 10:56 AM
Yes confirmed that when there is a matching live host on the users network it is still not working.
09-11-2012 11:04 AM
Michael,
What is not working?
Can you ping?
Could you please enable ICMP debugging (debug icmp trace) and share the output during a test?
Thanks.
09-11-2012 11:06 AM
I cannot ping, while I can access the network. If there is a host on the users network say 192.168.1.10 that is live, when the user connects to the remote access VPN and tries to connect to a server 192.168.1.10 the connection fails.
09-11-2012 11:11 AM
Michael,
You should not try to connect to 192.168.1.10, you shoud try to 10.250.250.10 instead...
Thats the whole idea of the NAT translation.
Keep me posted.
09-11-2012 11:28 AM
okay got it, any tricks to getting DNS to respond with translated address?
----
I would consider creating a stand alone dns server to handle requests from the VPN only, is this the only way to service this?
09-11-2012 12:08 PM
DNS is only available after entering the first network?
nat (outside,inside) 1 source static it_vpn it_vpn dns
09-11-2012 12:22 PM
Michael, do you have any other NAT rules for your DNS server?
Thanks.
09-11-2012 12:23 PM
No not for the DNS server.
09-11-2012 12:45 PM
Please try this:
object network A-DNS-VPN
host 192.168.1.10
nat (inside,outside) static 10.250.250.10 dns
!
group-policy your_policy attributes
dns-server value 10.250.250.1 ---> Assuming your DNS server's IP is 192.168.1.1
!
Then try to resolve 10.250.250.10 across the tunnel (which locally should correspond to 192.168.1.10 and its specific DNS record).
Thanks.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide