Showing results for 
Search instead for 
Did you mean: 

VPN tunnel with embedded subnet

I have an ASA 5505 at v8.2. We have been using a tunnel to a PIX in a remote office successfully for years. Originally, the main office was and the remote office was Recently we needed to expand the subnet at the main office to accomodate more devices, so now the main office is, which of course contains the remote office's subnet. The tunnel is established and I am receiving packets from the remote office, but packets are not being sent there (RX count is high, TX count is 0). I assume that this is a traffic selection problem, but adding a '

route outside {outside gateway ip} 1' does not help. Any suggestions? Here is my config:

: Saved
ASA Version 8.2(1) 
hostname ciscoasa
name Home
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service rww tcp
 description Remote Web Workplace
 port-object eq 4125
object-group service rdp tcp
 description 3396
 port-object range 3394 3399
 port-object range 3385 3390
 port-object range 3392 3394
object-group service Server tcp
 description 987
 group-object rww
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq pptp
 group-object rdp
 port-object eq 444
 port-object eq 446
 port-object range 902 903
 port-object eq 987
 port-object eq imap4
 port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service smtp-26 tcp
 port-object eq 26
object-group service DM_INLINE_UDP_1 udp
 port-object eq snmp
 port-object eq snmptrap
object-group network DM_INLINE_NETWORK_1
 network-object host xx.xx.xx.xx
 network-object host xx.xx.xx.xx
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in_1 extended permit tcp any any object-group Server 
access-list outside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group smtp-26 
access-list outside_access_in_1 extended permit gre any any 
access-list outside_access_in_1 extended permit icmp any any 
access-list 100 extended permit ip Home 
access-list outside_cryptomap_20.1_1 extended permit object-group DM_INLINE_PROTOCOL_1 Home 
access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_1 
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 Home 
pager lines 24
logging enable
logging timestamp
logging trap informational
logging history informational
logging asdm informational
logging host inside Server
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1
access-group inside_access_in in interface inside control-plane
access-group outside_access_in_1 in interface outside
route outside 1
route inside 1
route outside Home 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 match address outside_cryptomap_20.1_1
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 1 match address outside_cryptomap
crypto map dyn-map 1 set peer {remote office gateway IP} 
crypto map dyn-map 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server
tftp-server inside Terminal /asa120214-2.cfg
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group {remote office external IP} type ipsec-l2l
tunnel-group {remote office external IP} ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect icmp 
service-policy global_policy global
prompt hostname context 
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
Everyone's tags (3)

VPN tunnel with embedded subnet


Its a problem that you have configured overlapping networks in the first place.

The problem probably has to do with the fact that your internal Main Office network things the hosts on the range are included in their local network and therefore try to ARP for the destination addresses MAC addresses and fail since the host arent located on their local network.

For the traffic to even get forwarded to the ASA the ASA would have to use Proxy ARP to reply to those ARP requests.

But to me it seems a better idea to NAT the Remote Office network to some other /24 network before the L2L VPN connection and change the L2L VPN configurations to reflect that change.

You would want to have ONLY this ACL rule in the "crypto map" line using the ACL (you could replace the old ACL with this one)

access-list L2LVPN permit ip

Where the network would be the new NAT network for Remote Site.

Your NAT0 ACL on Main Site should only contain the following line

access-list 100 permit ip

On the Remote Site PIX you would need to remove the NAT0 configuration and instead configure Static Policy NAT

access-list L2LVPN-POLICYNAT permit ip

static (inside,outside) access-list L2LVPN-POLICYNAT

And the L2L VPN "crypto map" ACL would be

access-list L2LVPN permit ip

Naturally though again if you need access to the range on the Main Office from the Remote Office you would need to perform NAT on the Main Office also. (As Remote Office would be in that case connecting to the same network that it has)

As you can see it can get a bit complex.

Other than this you might have easier time changing some local network. Perhaps at the Remote Office for example.

- Jouni