Solved: VPN issue when local lan IP matches Corp LAN IP

michael.white · ‎09-11-2012

Hello,

I am having an issue accessing corporate services when an IP for example of one of our servers matches an IP address of a local host from the LAN the user is accessing from.

Is there any way to work around and or resolve this?

I am using split tunnel, I am sending all DNS lookups through tunnel, and assigning the DNS name.

I inherited this network that is a 192.168.0.0/23 with a lot of the services on 192.168.1.x which easily match private local lans.

Javier Portuguez · ‎09-11-2012

Hello Michael,

To solve the overlap, you will need to hide the remote network with a NAT rule, so the VPN clients point to a NATed address on the ASA.

May I know the code version of your ASA?

Thanks.

Portu.

View solution in original post

Javier Portuguez · ‎09-11-2012

Ok, thanks.

It would be something like this:

object network obj-LOCAL

subnet 192.168.1.0 255.255.255.0

!

object network obj-LOCAL_NAT_VPN

subnet 10.254.254.0 255.255.255.0

!

object network obj-VPN_Pool

subnet 192.168.10.0 255.255.255.0

!

nat (outside,inside) 1 source static obj-VPN_Pool obj-VPN_Pool destination static obj-LOCAL obj-LOCAL_NAT_VPN

In the split-ACL (if available) you include the 10.254.254.0/24 network.

The result of this configuration is that when your clients try to access the 10.254.254.0/24 across the tunnel, the ASA will translate it to 192.168.1.0/24 (which is the local network), avoiding the overlap issue.

* Please adjust the config above to your current settings.

Let me know if this is clear.

Thanks.

Portu.

Please rate any post you find useful.

View solution in original post

michael.white · ‎09-11-2012

Note this is a remote access vpn

Javier Portuguez · ‎09-11-2012

Hello Michael,

To solve the overlap, you will need to hide the remote network with a NAT rule, so the VPN clients point to a NATed address on the ASA.

May I know the code version of your ASA?

Thanks.

Portu.

michael.white · ‎09-11-2012

I am on version 8.4

Javier Portuguez · ‎09-11-2012

Ok, thanks.

It would be something like this:

object network obj-LOCAL

subnet 192.168.1.0 255.255.255.0

!

object network obj-LOCAL_NAT_VPN

subnet 10.254.254.0 255.255.255.0

!

object network obj-VPN_Pool

subnet 192.168.10.0 255.255.255.0

!

nat (outside,inside) 1 source static obj-VPN_Pool obj-VPN_Pool destination static obj-LOCAL obj-LOCAL_NAT_VPN

In the split-ACL (if available) you include the 10.254.254.0/24 network.

The result of this configuration is that when your clients try to access the 10.254.254.0/24 across the tunnel, the ASA will translate it to 192.168.1.0/24 (which is the local network), avoiding the overlap issue.

* Please adjust the config above to your current settings.

Let me know if this is clear.

Thanks.

Portu.

Please rate any post you find useful.

michael.white · ‎09-11-2012

I added the following including adding the NAT VPN network to split tunnel and it is not working:

object network exportinside_NAT_VPN

subnet 10.250.250.0 255.255.254.0

nat (outside,inside) 1 source static it_vpn it_vpn destination static exportinside exportinside_NAT_VPN

michael.white · ‎09-11-2012

Yes confirmed that when there is a matching live host on the users network it is still not working.

Javier Portuguez · ‎09-11-2012

Michael,

What is not working?

Can you ping?

Could you please enable ICMP debugging (debug icmp trace) and share the output during a test?

Thanks.

michael.white · ‎09-11-2012

I cannot ping, while I can access the network. If there is a host on the users network say 192.168.1.10 that is live, when the user connects to the remote access VPN and tries to connect to a server 192.168.1.10 the connection fails.

Javier Portuguez · ‎09-11-2012

Michael,

You should not try to connect to 192.168.1.10, you shoud try to 10.250.250.10 instead...

Thats the whole idea of the NAT translation.

Keep me posted.

michael.white · ‎09-11-2012

okay got it, any tricks to getting DNS to respond with translated address?

----

I would consider creating a stand alone dns server to handle requests from the VPN only, is this the only way to service this?

michael.white · ‎09-11-2012

DNS is only available after entering the first network?

nat (outside,inside) 1 source static it_vpn it_vpn dns

Javier Portuguez · ‎09-11-2012

Michael, do you have any other NAT rules for your DNS server?

Thanks.

michael.white · ‎09-11-2012

No not for the DNS server.

Javier Portuguez · ‎09-11-2012

Please try this:

object network A-DNS-VPN

host 192.168.1.10

nat (inside,outside) static 10.250.250.10 dns

!

group-policy your_policy attributes

dns-server value 10.250.250.1 ---> Assuming your DNS server's IP is 192.168.1.1

!

Then try to resolve 10.250.250.10 across the tunnel (which locally should correspond to 192.168.1.10 and its specific DNS record).

Thanks.

Portu.