cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1001
Views
0
Helpful
14
Replies

VPN Overlapping

ArshdeepDhillon
Beginner
Beginner

Hi All,

I have to setup VPN Tunnel for 2 remote sites. Both sites have same network.

I have Sonicwall in HQ 192.168.200.1

Remote Site 1 which is working has 10.0.0.0 255.255.0.0

Remote Site 2 not working has 10.0.0.0 255.255.0.0 Cisco ASA 5510.

I dont want to make any changes to site 1 as its already working fine.

How can I get this working?

Any help will be greatly appreciated!

Thanks

1 Accepted Solution

Accepted Solutions

Let's assume your LAN on the inside sonicwall is  192.168.200.0/24.

You want them to show up at HQ sonicwall with IP within subnet 172.16.0.0/16

The config on the ASA should looks like:

access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list natvpn extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0
static (inside,outside) 172.16.0.0 access-list natvpn

crypto map outside_map 10 match address vpn

On the sonicwall the acl for your crypto map to this site has a destination subnet as 172.16.0.0/16 and not 10.0.0.0/16.

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

14 Replies 14

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor

Hi

On your site 2, you have certainly used nat exemption statement.

In this nat statement you can change the mapped address. Add per example, below the command.

nat (inside,outside) source static SITE2-REALIP SITE2-NEWSUBNETMAPPING destination static HO-SUBNET HO-SUBNET

You'll need also to modify your crypto acl with the new nat subnet you'll use.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

Thank you for the information.

I tried but this command is not working. I am new to this so sorry for asking so much. Cisco Adaptive Security Appliance Software Version 8.2(5) is 8.2 and I have tried to get this command working but i am not successful so far. If you could please help that will be really appreciated.

When in conf mode i cant do nat (inside,outside) it will say Unrecognized command.

Thank you again!

I was able to add this command 

access-list NET1 permit ip host 10.0.0.0 destination IP

static (inside,outside) 192.168.150.0 access-list NET1

What will i have to do to crypto acl?

Thanks

Ok I saw your previous message. Yes commands from 8.2 and post 8.3 are bit different. I would recommend to upgrade if you can.

For your crypto acl, the source subnet should be the one natted and not the original one.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes, 

Here is what I have but still not working.

match ip inside host 10.0.0.0 outside 192.168.200.0 255.255.255.0
static translation to 192.168.150.0

access-list outside_2_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list NET10 extended permit ip host 10.0.0.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.150.0 access-list NET10

access-list outside_2_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 any.

I really appreciate your help Francesco!

Let's assume your LAN on the inside sonicwall is  192.168.200.0/24.

You want them to show up at HQ sonicwall with IP within subnet 172.16.0.0/16

The config on the ASA should looks like:

access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list natvpn extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0
static (inside,outside) 172.16.0.0 access-list natvpn

crypto map outside_map 10 match address vpn

On the sonicwall the acl for your crypto map to this site has a destination subnet as 172.16.0.0/16 and not 10.0.0.0/16.

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you Thank you Thank you!

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hey Francesco,

Even though its connected, there is no packet exchange.

Thanks

Ok. Can you provide some logs and packet capture? 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

access-list outside_2_cryptomap extended permit ip 

access-list inside_nat_static extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0

static (inside,outside) 10.66.0.0 access-list inside_nat_static

crypto map outside_map 2 match address outside_2_cryptomap

There is nothing in logs about this and when i try to capture 

! inside

! Apply ingress capture on the inside interface.
capture asdm_cap_ingress match ip 10.0.0.2 255.255.255.255 192.168.200.254 255.255.255.255
capture asdm_cap_ingress packet-length 1522 buffer 524288
capture asdm_cap_ingress interface inside


! outside

! Apply egress capture on the outside interface.
capture asdm_cap_egress match ip 10.0.0.2 255.255.255.255 192.168.200.254 255.255.255.255
capture asdm_cap_egress packet-length 1522 buffer 524288
capture asdm_cap_egress interface outside

Nothing comes up. it says buffer is empty.

Thank you very much for your help!

I meant could you do a packet tracer? 

From your machine if you run a ping, can you see the xlate output, logs on asa? 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sorry Francesco for late reply was stuck with different project. So as tunnel was set for a server only in HQ there was no packet exchange but as soon as we started pinging from that server it was sending packets but not getting. I went back to ASA and found out as it wasnt exchanging packets i added a NAT rule which was blocking it. I removed it and it's working now. 

Thank you again for your help! I dont have words to appreciate your help

Nice that everything works. 

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers