Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
14
Replies

VPN Overlapping

Go to solution
ArshdeepDhillon
Level 1
Level 1

‎02-21-2017 06:28 AM

Hi All,

I have to setup VPN Tunnel for 2 remote sites. Both sites have same network.

I have Sonicwall in HQ 192.168.200.1

Remote Site 1 which is working has 10.0.0.0 255.255.0.0

Remote Site 2 not working has 10.0.0.0 255.255.0.0 Cisco ASA 5510.

I dont want to make any changes to site 1 as its already working fine.

How can I get this working?

Any help will be greatly appreciated!

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎02-23-2017 03:47 PM

Let's assume your LAN on the inside sonicwall is  192.168.200.0/24.

You want them to show up at HQ sonicwall with IP within subnet 172.16.0.0/16

The config on the ASA should looks like:

access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list natvpn extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0
static (inside,outside) 172.16.0.0 access-list natvpn

crypto map outside_map 10 match address vpn

On the sonicwall the acl for your crypto map to this site has a destination subnet as 172.16.0.0/16 and not 10.0.0.0/16.

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-21-2017 05:28 PM

Hi

On your site 2, you have certainly used nat exemption statement.

In this nat statement you can change the mapped address. Add per example, below the command.

nat (inside,outside) source static SITE2-REALIP SITE2-NEWSUBNETMAPPING destination static HO-SUBNET HO-SUBNET

You'll need also to modify your crypto acl with the new nat subnet you'll use.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎02-22-2017 11:40 AM

Hi Francesco,

Thank you for the information.

I tried but this command is not working. I am new to this so sorry for asking so much. Cisco Adaptive Security Appliance Software Version 8.2(5) is 8.2 and I have tried to get this command working but i am not successful so far. If you could please help that will be really appreciated.

When in conf mode i cant do nat (inside,outside) it will say Unrecognized command.

Thank you again!

0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎02-22-2017 12:25 PM

I was able to add this command 

access-list NET1 permit ip host 10.0.0.0 destination IP

static (inside,outside) 192.168.150.0 access-list NET1

What will i have to do to crypto acl?

Thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎02-22-2017 02:49 PM

Ok I saw your previous message. Yes commands from 8.2 and post 8.3 are bit different. I would recommend to upgrade if you can.

For your crypto acl, the source subnet should be the one natted and not the original one.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎02-23-2017 08:08 AM

Yes, 

Here is what I have but still not working.

match ip inside host 10.0.0.0 outside 192.168.200.0 255.255.255.0
static translation to 192.168.150.0

access-list outside_2_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list NET10 extended permit ip host 10.0.0.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.150.0 access-list NET10

access-list outside_2_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 any.

I really appreciate your help Francesco!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎02-23-2017 03:47 PM

Let's assume your LAN on the inside sonicwall is  192.168.200.0/24.

You want them to show up at HQ sonicwall with IP within subnet 172.16.0.0/16

The config on the ASA should looks like:

access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list natvpn extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0
static (inside,outside) 172.16.0.0 access-list natvpn

crypto map outside_map 10 match address vpn

On the sonicwall the acl for your crypto map to this site has a destination subnet as 172.16.0.0/16 and not 10.0.0.0/16.

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎02-27-2017 10:33 AM

Thank you Thank you Thank you!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎02-27-2017 10:45 AM

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎02-28-2017 11:46 AM

Hey Francesco,

Even though its connected, there is no packet exchange.

Thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎02-28-2017 05:10 PM

Ok. Can you provide some logs and packet capture? 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎03-01-2017 05:01 PM

access-list outside_2_cryptomap extended permit ip 

access-list inside_nat_static extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0

static (inside,outside) 10.66.0.0 access-list inside_nat_static

crypto map outside_map 2 match address outside_2_cryptomap

There is nothing in logs about this and when i try to capture 

! inside

! Apply ingress capture on the inside interface.
capture asdm_cap_ingress match ip 10.0.0.2 255.255.255.255 192.168.200.254 255.255.255.255
capture asdm_cap_ingress packet-length 1522 buffer 524288
capture asdm_cap_ingress interface inside


! outside

! Apply egress capture on the outside interface.
capture asdm_cap_egress match ip 10.0.0.2 255.255.255.255 192.168.200.254 255.255.255.255
capture asdm_cap_egress packet-length 1522 buffer 524288
capture asdm_cap_egress interface outside

Nothing comes up. it says buffer is empty.

Thank you very much for your help!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎03-01-2017 05:01 PM

I meant could you do a packet tracer? 

From your machine if you run a ping, can you see the xlate output, logs on asa? 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ArshdeepDhillon
Level 1
Level 1
In response to Francesco Molino

‎03-09-2017 01:56 PM

Sorry Francesco for late reply was stuck with different project. So as tunnel was set for a server only in HQ there was no packet exchange but as soon as we started pinging from that server it was sending packets but not getting. I went back to ASA and found out as it wasnt exchanging packets i added a NAT rule which was blocking it. I removed it and it's working now. 

Thank you again for your help! I dont have words to appreciate your help

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ArshdeepDhillon

‎03-09-2017 06:20 PM

Nice that everything works. 

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents