Hi guys, i have ASA 5520 with many VPN LAN To LAN and VPN Remote Access. I have a issue with one VPN Lan To Lan where there is a overlap network
between our inside network and the remote peer. There is a VPN Lan To Lan with this configuration :
LAN (INSIDE) - 192.168.0.0/22 INSIDE ASA - 172.16.0.3 - OUTSIDE ASA 94.125.239.251
192.168.1.10 --------------------------------------------192.168.198.7 ---------------------------------------------192.168.201.221
Real IP IP SOURCE NAT IP DESTINATION NAT
Server (REMOTE PEER)
Flow without translation : From 192.168.1.10/32 TO 192.168.201.221/32 (NONAT)
Flow with translation : From 192.168.1.10/32 TO 192.168.201.221/32 (IP SOURCE NAT 192.168.198.7) - CRYPTO
Flow without translation : From 192.168.201.221/32 TO 192.168.198.7/32 ---------------> FROM REMOTE PEER TO ASA - CRYPTO
Flow with translation : From 192.168.198.7/32 TO 192.168.1.10/32 ------------------> STATIC NAT ASA
Below the configuration :
access-group Traffico-Outbound-Inside-Outside in interface INSIDE
access-list Traffico-Outbound-Inside-Outside extended permit ip host 192.168.1.10 host 192.168.201.221
access-list VPNL2LCryptoOasi extended permit ip host 192.168.198.7 host 192.168.201.221
access-list VPNL2LFilterOasi extended permit icmp host 192.168.201.221 host 192.168.198.7
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 range 1024 65535 host 192.168.198.7 eq 7006
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 eq 6006 host 192.168.198.7 range 1024 65535
nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (INSIDE,OUTSIDE) source static VPNnonat-192.168.198.7-src VPNnonat-192.168.198.7-src destination static VPNnonat-192.168.201.221-dst VPNnonat-192.168.201.221-dst
object network VPNL2LOasiNAT-IPSRC
nat (OUTSIDE,INSIDE) static 192.168.1.10
crypto ipsec transform-set OasiBeeInsSet esp-aes esp-md5-hmac
crypto map outside_map 110 match address VPNL2LCryptoOasi
crypto map outside_map 110 set peer 194.185.233.36
crypto map outside_map 110 set transform-set OasiBeeInsSet
tunnel-group 194.185.233.36 type ipsec-l2l
tunnel-group 194.185.233.36 general-attributes
default-group-policy 194.185.233.36
tunnel-group 194.185.233.36 ipsec-attributes
pre-shared-key *****
group-policy 194.185.233.36 internal
group-policy 194.185.233.36 attributes
vpn-filter value VPNL2LFilterOasi
When the server 192.168.1.10 in the INSIDE network try to telnet 192.168.201.221 6006 is all ok. But when the 192.168.201.221 telnet the 192.168.198.7 in the log i see :
Oct 24 06:29:57 172.16.0.3 Oct 24 2014 06:29:57 IDC-CISCOFWUS-02 : %ASA-6-302014: Teardown TCP connection 2051276 for OUTSIDE:192.168.201.221/59712 to OUTSIDE:192.168.198.7/7006 duration 0:00:00 bytes 0 Flow is a loopback
i tried to follow link http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/ which in most discussion on cisco forum it is the example. In my configuration there is my situation :
For their 192.168.1.0/24 -> My host network is 192.168.1.10
For their 192.168.2.0/24 -> My host network is 192.168.198.7
For their 192.168.3.0/24 -> My host network is 192.168.201.221
So, here the my configuration :
nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (inside,outside) source static VPNnonat-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNnonat-192.168.1.10-src
object network VPNL2LOasiNAT-192.168.1.10-src
nat (outside,inside) static 192.168.201.221
With this configuration, is not possible telnet 192.168.201.221 6006.
I tried to route INSIDE the 192.168.198.7 and there isn't the error in the log, but there is a SYN timeout on the packet about 192.168.198.7
