Solved: Re: VPN Overlapping NAT

Ratatapaa · ‎11-28-2012

Below is my full config.

Here is some notes

IP gotten from the VPN connection 10.250.128.X

Lan IP 192.168.0.0/24

My VPN atm Works #1 for those who doesn<t have a 192.168..0.0 IP adresse at their home LAN

What i want to do is Nat my VPN to do this

Exemple I wanna access the PC 192.168.0.2 on the Business LAN

I wanna type from the PC (that is connected to the VPN) 192.168.200.2 and the Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work

Of course I think it need to be able to do it on the other side too. (192.168.0.2 to 192.168.200.2 to be able to send the packet back (not sure on that)

Can you guys help, me, this is atm out of my knowledge, and I<m having trouble to understand the exemples

ASA Version 8.2(1)

!

terminal width 250

hostname hostname

enable password d0/xPtlKePBzdYTe encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.128.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 10

duplex full

!

interface Ethernet0/1

speed 10

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group service grp_outside_in tcp

description Ports require for internal forwarding

port-object eq smtp

port-object eq ssh

access-list inside-out extended permit ip any any

access-list inside-out extended permit icmp any any

access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

access-list split-tunnel extended permit ip 192.168.0.0 255.255.20.0 10.250.128.0 255.255.255.0

access-list 100 extended permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 extended permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

pager lines 34

logging enable

logging timestamp

logging buffered debugging

logging trap debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool mobilepool 10.250.128.100-10.250.128.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 10.0.128.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set mobileset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set mobileset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mobilemap 1 ipsec-isakmp dynamic dyn1

crypto map mobilemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 10.0.128.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpn internal

group-policy vpn attributes

vpn-simultaneous-logins 50

vpn-idle-timeout 2000

vpn-session-timeout 2000

group-policy mobile_policy internal

group-policy mobile_policy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

username admin password N2TJh8TeuGc7EOVu encrypted privilege 15

username user1 password gLGaPhl70GqS8DhN encrypted

username user2 password Y7.fXmPk3FvKUGOO encrypted

tunnel-group mobilegroup type remote-access

tunnel-group mobilegroup general-attributes

address-pool mobilepool

default-group-policy mobile_policy

tunnel-group mobilegroup ipsec-attributes

pre-shared-key *

!

class-map global-class

match default-inspection-traffic

class-map inspection

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:012d58f20bdf997d1e7b6927431e0015

: end

Jouni Forss · ‎11-30-2012

Hi Gyslain,

So if I understood you correctly you want the following things

NAT local LAN 192.168.0.0/24 to 192.168.200.0/24 for the VPN Client users so their local LAN dont overlap with your LAN while they are connected

To my understanding you should be able to handle this with the following changes to your configurations

Configure the Policy NAT
Make changes to the Split Tunnel rules
Remove existing NAT0 rule

Below are some example configurations I think should handle the situation. Naturally make sure to have the old configuration at hand if you need to revert back to the old

Remove the NAT0 rule

no nat (inside) 0 access-list no_nat
no access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

By removing the above configuration we want to avoid you LAN from showing with its original IP address to the VPN Client user.

Creating the Policy NAT

access-list VPN-CLIENT-POLICY-NAT permit ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
static (inside,outside) 192.168.200.0 access-list VPN-CLIENT-POLICY-NAT netmask 255.255.255.0

With the above configuration we want to tell the ASA to NAT your local LAN 192.168.0.0/24 to 192.168.200.0/24 WHEN connections are made to destination network 10.250.128.0/24 which is the VPN Client Pool. This natutally works both ways. Notice also that if your LAN host IP address is for example 192.168.0.100 it will have a NAT address of 192.168.200.100.

Changing the VPN Client Split tunnel

access-list VPN-SPLIT-TUNNEL standard permit 192.168.200.0 255.255.255.0
group-policy mobile_policy attributes
- split-tunnel-network-list value VPN-SPLIT-TUNNEL

The above configuration is aiming to change your VPN client configurations Split Tunnel ACL to a Standard ACL that tells which networks to forward to the VPN connection from your Client. In this case it would be the new Policy NATed network of 192.168.200.0/24. After configuring the ACL you naturally configure it under the VPN settings.

I'm not sure if you have Split tunneling configured at all since the configuration doesnt show the ACL name atleast. I know you can atleast have the configuration line "tunnelspecified" without specifying the actual ACL but not sure if the following line is a copy/paste problem or some typo This should work with Full tunnel also.

With the above configuration to my understanding everything should work.

- Jouni

EDIT: Some typos

EDIT2: Group-policy name was wrong

View solution in original post

Javier Portuguez · ‎11-28-2012

Hi Gyslain,

Please review this doc, then double-check / adjust your settings:

PIX/ASA 7.x and Later: LAN-to-LAN IPsec VPN with Overlapping Networks Configuration Example

HTH.

Portu.

Please rate any helpful posts

Ratatapaa · ‎11-28-2012

I

1 I only got 1 ASA the other site is the clients router that i can'T access

2 Since we are connecting from VPN from home, what zone is the VPN in (Outside?)

ju_mobile · ‎11-28-2012

By slain,

You may have other issues here and the elements that need to be considered include but are not limited to NAT and dns. If your clients haves 192.168.0.x address and your services have a 192.168.0.x address and you wish to present these to your VPN users with a 192.168.200.x address.

We would to understand all elements of your requirements to help build an effective model.

Best regards

Ju

Sent from Cisco Technical Support iPad App

Ratatapaa · ‎11-28-2012

i'm not sure I understand your question so i'm just gonna repeat what i need because I know I am not the best to explain

The client have 1 Office with an ASA 5505 Router Their lan is 192.168.0.0/24

We have a VPN connection that is kinda working atm people from other subnets at home can access the vpn np

But if people at home have the 192.168.0.0 access the VPN, they can connect but cannot access the PC on the other side because the home PC thinks that 0.0 is the local network at home

So I just want the router to say exemple on VPN only if i try to access 192.168.200.X the Cisco converts to his correspondant 192.168.0.X So people with 192.168.0.0 at home can access the VPN

If i'm missing some info don't hesitate to ask

ju_mobile · ‎11-28-2012

Hi,

Apologies if my questions were overly technical. I will attempt to explain.

Your clients may have a 192.168.0.x address at home and you have a 192.168.0.x address in your office.
If you wish to NAT your 192.168.0.x servers to 192.168.200.x when the client has a 192.168.0 x address then its a policy NAT. However, if they connect to a DNS server and the reply is a 192.168.0.x address the address is identified in the payload and not the request as such it's missed by the policy NAT. As most home routers use 192.168.x it's one of those issues that comes with experience...

You can attempt a policy NAT and try to also set the DNS to rewrite. Depending on the FOS version, you may have more hope stopping chocolate from melting in the Sahara...

Sent from Cisco Technical Support iPad App

Ratatapaa · ‎11-28-2012

We won't use DNS for the VPN

Just want to access via 192.168.200.X don't wanna use exemple Rogersserver (which has 192.168.0.200)

Jouni Forss · ‎11-30-2012

Hi Gyslain,

So if I understood you correctly you want the following things

NAT local LAN 192.168.0.0/24 to 192.168.200.0/24 for the VPN Client users so their local LAN dont overlap with your LAN while they are connected

To my understanding you should be able to handle this with the following changes to your configurations

Configure the Policy NAT
Make changes to the Split Tunnel rules
Remove existing NAT0 rule

Below are some example configurations I think should handle the situation. Naturally make sure to have the old configuration at hand if you need to revert back to the old

Remove the NAT0 rule

no nat (inside) 0 access-list no_nat
no access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

By removing the above configuration we want to avoid you LAN from showing with its original IP address to the VPN Client user.

Creating the Policy NAT

access-list VPN-CLIENT-POLICY-NAT permit ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
static (inside,outside) 192.168.200.0 access-list VPN-CLIENT-POLICY-NAT netmask 255.255.255.0

With the above configuration we want to tell the ASA to NAT your local LAN 192.168.0.0/24 to 192.168.200.0/24 WHEN connections are made to destination network 10.250.128.0/24 which is the VPN Client Pool. This natutally works both ways. Notice also that if your LAN host IP address is for example 192.168.0.100 it will have a NAT address of 192.168.200.100.

Changing the VPN Client Split tunnel

access-list VPN-SPLIT-TUNNEL standard permit 192.168.200.0 255.255.255.0
group-policy mobile_policy attributes
- split-tunnel-network-list value VPN-SPLIT-TUNNEL

The above configuration is aiming to change your VPN client configurations Split Tunnel ACL to a Standard ACL that tells which networks to forward to the VPN connection from your Client. In this case it would be the new Policy NATed network of 192.168.200.0/24. After configuring the ACL you naturally configure it under the VPN settings.

I'm not sure if you have Split tunneling configured at all since the configuration doesnt show the ACL name atleast. I know you can atleast have the configuration line "tunnelspecified" without specifying the actual ACL but not sure if the following line is a copy/paste problem or some typo This should work with Full tunnel also.

With the above configuration to my understanding everything should work.

- Jouni

EDIT: Some typos

EDIT2: Group-policy name was wrong

Ratatapaa · ‎11-30-2012

OMG YOU ARE A GOD IT WORKS! (didnt' have to do the split tunnel part)

I just got a 2nd problem

Currently in a test environment (which might be the problem cuz i'm directly connected)

IF my lan at home is exemple 192.168.203.0 and i try to access 192.168.200.0 it works (PC at work is still 192.168.0.0)

But if I change my home lan to 192.168.0.0 I cannot even connect to the VPN (promp doesnt work)

ANy way around this?

Jouni Forss · ‎11-30-2012

Hi,

If this setup was in production and the ASA was connected to the Internet, I dont think there should be a problem with your Home computers local IP addressing since it will get another IP address from the ASA VPN Pool. Naturally you still can't use a network behind the ASA that your local connecting computer might see as connected network

Generally though I'd suggest avoiding overlapping networks if possible. Also avoiding well known or usual private IP networks which modem/router manufacturers use is a good thing to do sometimes.

I think if you are connect straight to the ASA "outside" though in a Lab environment, you might run into problems. Would be good to have a router infront of the ASA and a test LAN network behind the router where you test the VPN Client connections from.

Also when configuring those 192.168.x.x/yy networks, do check the mask that you dont for example use /16 (255.255.0.0) (192.168.0.0 - 192.168.255.255) mask instead of for example the typical /24 (255.255.255.0) (192.168.x.0 - 255)

Please rate if you have found the information helpfull and ask more naturally if there is something I can try to help you with. Best bet is always to give the upto date configuration and clear picture of the device setup.

- Jouni

Ratatapaa · ‎11-30-2012

Yes it was really helpfull I can't thank you enough

I will try to find someone with a 0.0 subnet and test it

Thanks ALOT!