VPN site to Site on the same subnet of addresses LAN - cannot communicate
Hello
I have the VPN tunnel between Site A and B which are both on the same local network.
Site A has a lan from 192.168.0.0/24 Interior and a demilitarized zone of 10.0.0.0/24
Site B has a lan from 192.168.0.0/24 Interior
I have the Setup vpn to communcaite the Site A DMZ with Site B on the inside.
The two tunnels are in place but I can't ping the other view and vice versa. Also in the DMZ when I ping the 192.168.0.0/24 range timesout ping, I guess that's because the ping is sent inside the line of A site. Also the DMZ is a secuity level 50 and inside the site lan security level 0.
Is it possible to make this work?
Thank you
John,
This could be a solution.
If they NAT their network to their Outside IP address this work, but a little bit different from a regular tunnel.
If they NAT their 192.168.0.0/24 entiner network IP address outside the box of Juniper, then get implemented and they will be able to send traffic and access to your network without problem. However, you will be able to send traffic (start) on their side, because their internal network behind the external IP address. If such translation is called PAT.
If you need full two-way communication through the tunnel you should ask them to translate their network in a one to one translation database so that they can get to you and you can view.
The other solution is to translate their network into your ASA. You can do the following:
192.168.200.0 static (outdoors, DMZ) 192.168.0.0 netmask 255.255.255.0
With these lines in place, the configuration of the tunnel will remain the same, no change is required. But when you need to access their network you must point the traffic to the 192.168.200.0/24, not the original 192.168.0.0/24 address.
So, in case you need to access their 192.168.0.10 your DMZ host, you should actually try to access the 192.168.200.10.
Why don't you give it a shot and let me know the results?
Tags: Cisco Security
Similar Questions
-
A Site to remote access VPN behind the same public IP address
Got a problem quite stupid. We have a VPN from Site to Site configured for a new data center, which will be responsible for general traffic management. In addition, some users need to use use a VPN client to access certain areas. The firewall at the Office only has a public IP address, so the two will come to the Site to Site VPN for remote access from the same source.
This seems a problem with legacy Cisco VPN clients because encryption card matches the entry VPN site-to-site, even if they use VPN clients. A good/simple solution to solve this problem?
Some newspapers (198.18.85.23) is the address public IP for the office and the tom.jones is the user. 192.168.1.0/24 is the pool of the VPN client.
January 7, 2014 19:12:52 ASA5515: % 713130-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, transaction mode attribute unhandled received: 5
January 7, 2014 19:12:52 ASA5515: % 737003-5-ASA: PISG: DHCP not configured, no viable servers found for tunnel-group "Corp-VPN.
January 7, 2014 19:12:52 ASA5515: % 713119-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, PHASE 1 COMPLETED
January 7, 2014 19:12:52 ASA5515: % ASA-3-713061: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, IPSec tunnel rejecting: no entry for crypto for proxy card remote proxy 192.168.1.4/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, error QM WSF (P2 struct & 0x00007fff28dab560, mess id 0x37575f3c).
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, peer table correlator Removing failed, no match!
January 7, 2014 19:12:52 ASA5515: % 713259-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, Session is be demolished. Reason: political crypto card not found
January 7, 2014 19:12:52 ASA5515: % ASA-4-113019: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, disconnected Session. Session type: IKEv1, duration: 0 h: 00 m: 02s, xmt bytes: 0, RRs bytes: 0, right: not found card crypto policy
January 7, 2014 19:12:53 ASA5515: % 713904-5-ASA: IP = 198.18.85.23, encrypted packet received with any HIS correspondent, drop
Hello
Don't know if this will work, but you can try the following configuration (with the rest of the VPN configuration)
list-access CLIENT VPN ip enable any 192.168.1.0 255.255.255.0
card crypto OUTSIDE_map 4 is the VPN CLIENT address
card crypto OUTSIDE_map 4 set peer 198.18.85.23
card crypto OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-SHA
The idea would be to have the ACL matches the VPN full Tunnel that the Client attempts to establish. (destination "any" from the point of view of the customer, the ASAs view source)
I tested briefly on my own SAA by connecting from an IP address to which the ASA offers free VPN in L2L. But as I don't have the operational L2L VPN, I can't really verify the VPN L2L at the moment. Thus, certain risks may be involved if you can afford it.
-Jouni
-
Cannot open a Web site on the PCs of users, but the CD/DNS server in the same subnet to open it
I'm trying to access a website of all pc sales and got an "Internet Explorer cannot display the webpage" error, but when I try it on a domain controller that is also a DNS server in the same subnet, I am able to access. PC client when I ping the site I want access to I got "Request timed out" but not on the CD/DNS server. Can someone please?
Hello
I suggest you to ask your question at the following link.
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/
I hope this helps.
-
On Pix VPN tunnel to the same subnet
I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.
This can help
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
-
If we have 2 remote sites with the same shared storage, can we mount a drive shared on remote site?
Dear Experts,
If we have 2 remote sites with the same shared storage, can mount us a drive on remote site?
- Assume that the oracle database is on the shared disk (for example HP 3PAR)
- Primary Oracle server with storage as a common drive (storage shared on sites geographical apart) have all the files database.
- failure, it is possible to mount the drive even at the remote site and mount the database oracle it?
There must be no effect on the as it should the same disk that has dismantled master site.
Thank you and best regards,
IVW
Thanks a lot mseberg
Is it a design valid ?
- We have remote sites and want to set up DR. As we only SE pare data is therefore no choice.
- We think of the SAN replication option.
Have you ever seen / configured such architecture or design?
Can you please throw some light on this. Thanks in advance for your ideas.
Thank you best regards &,.
IVW
-
I can access both sites at the same time?
Dreamweaver has the possibility to open two websites at the same time?
Basically I have a CMS that is hosted on a server, which connects to my customer sites on other servers. I want to be able to open files on a server and change and also to edit files on a different server at the same time.
If it is not available in Dreamweaver, then I think it should be. I often need to copy the code to a page in a site to another page to different site. For the ability to have two windows open, each connected to a site server different Web would be valuable to me. By having separate windows, each can have its own connection to the server. I don't know how that would be easy, but I like it!
See you soon
Glynn
You can only connect to a single site at the same time. And you need to change the files locally, save & then upload to the remote server. As far as I KNOW, no unique FTP application is capable to connect to multiple servers at once. You might be able to do what you want with open DW and some additional 3rd client like Filezilla FTP, every time you connect to different servers.
Nancy O.
-
Multiple sites using the same instance of CF?
Hi Gang-
I have a client who has recently improved CF Pro to Enterprise and they use in a relatively simple way as an intranet. They would like to help me configure a second instance for the purpose of a staging server, but I noticed after they revealed they do not have the link of Enterprise Manager in their CF Admin screen.
They need to reinstall CF using the MultiServer installation version to be able to deploy a second instance of CF? Need to uninstall and reinstall? Ugh...
Can't they just create a second site under their web server, using a different port and you worry about the second instance of CF? Best practices for a moment, remember, they do not necessarily expand on this server, it is intended to be a staging server.
Any ideas on the best and fastest way to handle this?
Many thanks in advance,
RichMany questions, many answers. :-)
Yes, rich, they would need to install the version multiserver for you to see this Enterprise Manager option in the CF Admin. But no, they would not need to uninstall the server deployment (what you did) to add to the MultiServer deployment. They can coexist (although it is not something most would do in general).
The best news for you is that, Yes, they can indeed just set up a second site on their web server, and who also point to the deployment server CF one you have installed. It is, of course, assuming that they are running a web server that supports multiple sites. If it's Apache, you're good. If this is Windows, then as long as the Windows Server 2003 (or 2008 or Vista), you're good, too. (Just to be complete, for other readers, XP does not allow you run multiple sites at the same time.)
If during the installation of the CF tells you that there all sites on the web server with CF, you need do nothing again create site. It should be immediately able to run pages CF. If you said that it is in CF link to a site, then you will need run the server web Configurator again. You can do it manually, even after installation. See the CF Admin and Config docs to learn more about it, as well as on this issue. (I know many like to just run things and hope that the interface is pretty clear, but as this issue shows, for some things anyone installing CF will be well served by looking at this collection of Miss often.)
Hope that helps, Rich. It is not a RTFM response. :-) Suffice it to say that if you need more that what I said, it's in the manual. Yet, I am happy to answer follow up if I can.
-
Several groups of PS in the same subnet
Is there something wrong with having two PS series groups (and, therefore, their members) in the same 24 subnet and the same VLAN? We have a PS Group in the same place we are moving to another site that already has a PS Group. We would like to just take advantage of the networking and configuration of VLAN, that we have so I just want to check that it is not a problem to do this.
Thank you
Bryan
Hello Bryan,
The only limits are the IP addresses available, switch ports available and that the switch can handle the load increases. Especially if you share the SAN and LAN traffic to the same switch. Also the link between the switches might need to increase as well.
There is nothing inherit in the design to prevent it. In my lab, I have quite a bit on the same subnet.
Kind regards
-
WiFi AR5007 802. 11 b / g adapter cannot talk about bridge WET11 Wireless on the same subnet
Hello
My HP Compaq Presario C700 VISTA laptop (a AR5007 802. 11 b / g WiFi adapter) and the printer are on the same subnet. The laptop is WiFi connected to my WRT54G2 router/switch and the printer is connected to the workgroup switch that connects to the router via the LinkSys WET11 Wireless Bridge.
The installer works fine for over a year until he was there when my VISTA does not see any PC on the Working Group 3 weeks pass including the printer. However, the WAN access is not affected.
I did the filming of following problems (in order):
1. check the network settings on the laptop VISTA (x.x.x.29) and (x.x.x.201) printer and all look kosher. (All my PC including notebook computer and printer have IP STATIC)
2. check the router and the parameters of bridge and fines all eyes (router - XXX1, bridge - x.x.x.140).
3 Ping printer, bridge, and other PC and received messages "Destination Unreachable Host" or "Request timed out". Although all are on the same subnet. Pingée router is OK.
4 remove and re-add the wireless profile and tried to connect again. Same problem, no joy!
5 started VISTA in safe MODE with NETWORK. Once again, the problem has persisted but at least eliminated applications as a potential source of problems.
6. recycled power switch/router/workgroup bridge. No joy!
7 WiFi connected other laptops to the same router (WRT54G2) and can ping other PC and printer END. This means that the problem is limited to my VISTA laptop.
8 given that the problem is on my VISTA and applications are not the source (see #5) of the problem, then probably the AR5007 802.11b.g wireless network card driver is original so I downloaded driver at HP and installed with version 7.3.201.25. Problem is persistent... Arhhh!
Could there be something else that I missed? Can someone please help.
Thank you
You are the very welcome, John.
Yes this driver will work fine on Vista Home Premium.
According to the notes on the driver, it can just be run without uninstalling the current pilot you have on there now.
After executing, you can confirm it 'takes' by going into Device Manager, expand network adapters, click the atheros wireless card, click the driver tab and you should see the installed version 2011.
-
How to determine if 2 IPs are on the same subnet
Hi all!
I have a Client/Server connection over a network, and I wants to determine if they are part of the same subnet.
The server is installed on one OR cFP-2220, so I can't use all the exec system commands to access network settings.
My code is so far simply determine if the client and server are both on the local host.
Please see attachment!
Concerning
Paul
Hello!
Thanks for the reply.
After a google search, I think it is the right way to do it: (Ref)
XOR (B and H) (M & a)
Thank you to direct me in the right direction!
Kind regards
Paul
-
Case 'not the same subnet mask' - WRT54GL
Hello
I recently bought a WRT54GL router and tried to feed it with data from my ISP.
I entered these data to my Windows system as well as my older router and it worked fine.
These are:
IP: 213.211.57.xx
Subnet mask: 255.255.255.0
Gateway: 213.211.56.1
However, I get the error "not the same subnet mask" described here .
If I run "ipconfig/all" to the machine which can be used to connect to the net, I don't get any additional useful info that I described here, (he is also in Czech :-)
And there is no obvious conclusion in this forum thread.
Any suggestions?
Kind regards
Matej
OK, so I've solved this by changing the bridge and it works now.
Interesting that windows was able to deal with him, but...
-
public static IP on the same subnet of both internet and local
I need to configure my little guy with ip static on the same subnet on the side of the router/internet and the side room, but it does not.
I will allow me to dhcp on the side of the router/internet and then statically assign an ip address from the same subnet on the local side, but then it does not pass on my dhcp server dhcp queries.
suggestions?
Yes. Configure the WRT with a LAN inside your main LAN IP address. Disable the DHCP server on the WRT. Wire then a main WRT to your local area network LAN port. Do not use the internet port on the WRT.
-
Eql different groups on the same subnet
Hello
Quick question...
We have a PS6000 four in a group of storage in an iscsi network 192.168.0.0/24. We have now bought two PS6100XV and think about maybe create another group of storage for the new boxes eql. The reason is in the future, upgrade to 10 GB on the new group.
The question is if we create a new group to the PS6100VX, is it necessary to have a new iscsi LAN with a different IP subnet or can we use the same subnet 192.168.0.0/24 as PS 6000 are on?
You can stay on the same subnet. Your switch is the limiting factor.
-
Directly connected to the same subnet - still get 2 hops?
I changed the ip numbers in this example of those public to the private sector
| IP switch of the provider: 192.168.0.162/29. ------ | Reference Dell 6248 ip: 192.168.0.164/29 | ------ | Halon SX 200 ip: 192.168.0.166/29 |
A Halon router for ip tracetroute: 192.168.0.163 says:
1 192.168.0.164
2 192.168.0.163
Should not go directly to 192.168.0.163 with 1 jump? Am I missing something here?
I've implemented a quagga and two HP Procurve 2626 router and could not reproduce the problem.
Does anyone know if I'm missing something? In theory I should be able to simply get 1 jump to one IP address on the same subnet - right? Feels like the Dell switch made unnecessary routing...
-
PIX 7 - several remote VPN sessions to the same public IP address
Hello
Here's my problem:
Employee A and employee B make VPN connections to the PIX even with their Cisco VPN clients. The two employees are behind the same NAT device, so have the same public IP address.
As soon as the second employee initiates the VPN connection, the first employee is disconnected.
I have a similar situation with a PIX 6.x version and it does not. Two employees can connect at the same time with the same credentials.
Here is the configuration of remote access VPN I use:
attributes of the strategy group gpolicy
DHCP-scope network 10.X.X.X
VPN - 5 concurrent connections
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnelAcl
the authentication of the user activation
the firewall client no
remoteuser password remotepass username
remoteuser attributes username
VPN-group-policy labtronix
VPN - connections 2
Protocol-tunnel-VPN IPSec
value of group-lock vpngroup
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup General attributes
address ip_pool pool
Group Policy - by default-gpolicy
Any contribution is appreciated.
Thank you.
Most likely problem of nat - t
Add "isakmp nat-traversal" in pix
Maybe you are looking for
-
I can't remove the time machine backups, I put it in the trash
My backup disk is almost full, and I want to take on a value of years of backup files until I can get a new backup drive to perform other files that I want to keep. I tried their erasure of the finder inside the time machine, but nothing happened. I
-
The question of transfer NFC Contacts?
I have two new motorcycle x activated each on their own line. When I try to make a copy of personal contacts than with my contacts on the other without, nothing happens after I 'touch screen '. I have the NFC & Android beam activated on both; Bluetoo
-
Almost every day when I stopped my computer microsoft has something to download. Why is this? There may be to many updates for my computer. Please let me know why this is happening?
-
Combine the device and Skype Contact views
I use Windows Mobile 10 on a 735 Lumia and fact overview Skype SMS app on my phone. After turning "Synchronize my Skype contacts with the people app" I can now see my contacts from the device to Skype, but I can't combine with their corresponding dev
-
No sound on HP Pavilion 15 Notebook PC TS
We have no audio on our laptop of HP PAvilion TS 15. Series # 5CD3391XD2. Product # E9G52UA #ABA. Runs Win * 64 - bit. Help, please!