cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
2
Replies

VPN overlapping networks and ACL

charlesjdalby
Level 1
Level 1

Quick network overview.

10.10.20.0/24

     |

     |

------------
|WAN Router|
------------
     |
     | Inside (10.1.10.0/24)
------------
|local ASA |------DMZ (10.1.11.0/24)
------------
     | Outside (10.1.12.0/24)
     |
  Internet
     |
     |
------------
|remote ASA|
------------
     | 10.1.20.0/24
     |

There is a network of 10.1.20.0/24 which users on the inside LAN can access via the "WAN router", there is a static route on the PC to route via the "WAN router" not the "local ASA".

There is a static route on the "local ASA" to for 10.1.20.0/24 via the WAN router on the inside interface.

There is an ACL on the DMZ interface which denies access to 10.1.20.0/24. However, users on the 10.1.20.0/24 network can access the DMZ network 10.1.12.0/24

I have to set up a VPN to the "remote ASA", therefore I have overlapping networks. The servers on the DMZ network have to access the remote 10.1.20.0/24.

I have to do the NAT on the "local ASA", so proposed 10.1.20.* is statically mapped to 10.100.20.*

Now when I access 10.100.20.* from 10.1.11.* this is denied. It fails on the access list entry which denies 10.1.20.0/24 on the DMZ interface.

So I packet traced this and there is an UN-NAT which causes the issue. Just to check I disabled the deny on the ACL and it worked.

So, is there anyway of preventing the UN_NAT until after the ACL has been processed?

                  

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

To have a correct understanding, are you trying to achieve the following:

1) Users on the inside LAN to access the remote 10.1.20.0/24 via the WAN router.

2) Users on the DMZ subnet to access the remote 10.1.20.0/24 via the VPN tunnel?

If the above is correct, all you have to do is to remove the "route inside 10.1.20.0 255.255.255.0" command because your PC default gateway on the inside is the WAN router, so the traffic from inside will never get to the ASA when it is destined towards the 10.1.20.0/24 subnet. All the ASA needs to be worried about is to route 10.1.20.0/24 via the tunnel for the DMZ subnet. Is this how you would like it to work? If it is, then you don't even need to configure NAT translation, right?

Thanks for the answer Jennifer

However, I have just noticed an error on the diagram

The Subnet on te back f the WAN Router should be 10.1.20.0/24

The WAN connected 10.1.20.0/24 should be able to access the DMZ, but the DMZ can only access the remote 10.1.20.0/24

Sorry for the confusion

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: