W/overlapping VPNs

I'll be setting up a VPN site to site between 2 sites. Site A is local and site B is remote. Site B is another company that will run software on a server at the Site. I don't have access to some of the equipment at site B.

Here's the question... Site B has several VPN tunnels with other clients of thiers. One of their existing tunnels is already configured with the same subent as Site A. Thus, they cannot use the same subnet for our VPN configuration. The Site a subnet is 192.168.11.0/24 and cannot be changed due to some equipment that is coded with the IP information hard. For example, Site B wants to use 10.133.6.0/32. I need to translate the 10.133.6.0/32 at my local so that traffic can pass through the VPN. In the end, the server is the only thing that you have to cross the tunnel. It's IP is 192.168.11.55.

I have a Cisco ASA 5505 and I use the ASDM to configure the tunnel.

Any help would be appreciated.

Thank you

Mike

Hello Mike,.

OK, so here's what you'll need:

access-list some allow ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0

NAT (inside) 11-list of access regardless

Global (inside) 11 10.133.6.0 255.255.255.0

Now on the ACL crypto for VPN traffic between site A and B

VPN_whatever ip 10.133.6.0 access list allow 255.255.255.0 site_b_subnet 255.255.255.0

That's all you need on the site! On site B all you have to do is to configure the ACL crypto with the

10.133.6.0 subnet of.

access-list allowed VPN_whatever site_b_subnet ip 255.255.255.0 10.133.6.0 255.255.255.0

That's all!

Let me know if you have any questions,

Note all useful posts

Julio

Safety engineer

Tags: Cisco Security

Similar Questions

  • VPN does not work with the ip address of overlap?

    When I plugged my adsl router and I have ip address is 10.1.1.1/8 can I use remote access vpn closing on firewall and authentication works very well and I put the ip address of the pool is 10.7.0.1/16 but I can not access this local lan if I made up of my pc and got 2x2.102.x.y ip address then I connected I can't access no problem local network and vpn remote access authentication.

    It is question of routing on pc with overlapping ip or not?

    Please clarify or provide useful link

    Thank you

    Hello

    It seems that it is a problem of nat - t.

    Make sure that the head of VPN network has "isakmp nat - t" (if that's a PIX). If a hub, make sure that "IPsec NAt - T" is enabled.

    Additionally, make sure that on the client, "Enable Transparent tunneling" is checked, with IPSec over UDP NAT/PAT selected.

    HTH,

    -Kanishka

  • NAT overlapping with remote VPN access

    Hi all

    My client has an ASA 5510 at the main location. We're shooting for their remote access VPN SSL needs. 30 or so remote users.

    The problem is that the main site has a number of network 192.168.1.0/24. The number of Linksys routers bought on shelf at any store of default.

    Obviously, by default, it does not work. When users connect to the VPN from home, it connects but network resources are not available.

    I read about overlapping NAT with tunnels of site to another, but that all remote access? Is it possible as well?

    Any help to point me in the right direction would be much appreciated.

    Thank you!

    Look at the PIX / ASA 7.x and later: VPN Site to Site (L2L) with the example of setting up IPsec policy NAT (overlapping of private networks) for more information

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

  • Several tunnels to Datacenter VPN with overlapping networks

    Hello guys,.

    We are starting to host applications for customers who need trusts (maybe?) Windows and full access to a class C subnet in our IP data center.

    My problem is most of our customers are small MOM and pop stores IPed to 192.168.1.x. I intend to install my own Cisco ASA in each of these sites and create a VPN to the data center to access the application. The last 2 sites I've done, I have re-IPed network to a mine plan. I start to run in many customers that we simply host the app for and I can't really make them Re - IP network if they do not want.

    My question is what are my options here? I guess some kind of NAT, but I don't really know how it works. With a Windows trust communication must be 2 tracks. If we did not trust, I could see this work without problem with a simple NAT right? Firewall guy would you NAT on? The remote end or Data Center?

    Any help and advice is appreciated.

    I'm a complete network of Cisco, ASAs, catalysts, routers, etc...

    Hi Billy,

    Basically, for the overlap of networks, you will run natting on both sites for interesting traffic.
    If you have networks that overlap, you can follow this link if you use Cisco ASA and this link for Cisco routers as a VPN endpoint devices.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • VPN router to router with overlapping of internal networks

    Hello Experts,

    A small question. How to configure a VPN router to router with overlap in internal networks?

    Two of my internal networks have ip address 192.168.10.0 and 192.168.10.0

    No link or config will be appreciated. I searched but no luck.

    Thank you

    Randall

    Randall,

    Please see the below URL for the configuration details:

    Configure an IPSec Tunnel between routers with duplicate LAN subnets

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

    Let me know if it helps.

    Kind regards

    Arul

    * Please note all useful messages *.

  • VPN from Site to Site subnets overlap

    Hello everyone,

    I have little of ASA with Site to Site tunnels for 1 Hub Site.

    All sites through the tunnel to all traffic to the Hub ASA. (0.0.0.0/0)

    Internet access is provided via the Hub of ASA.

    Now, I need to create VPN site from each location to a different Hub ASA 10.10.0.0/16 destined.

    During the creation of the tunnel, I get the error of overlapping subnets via the previous tunnel (0.0.0.0/0).

    How can I possibly have 2 tunnels?

    A 0.0.0.0/0 - Interesting traffic tunnel-

    B - Interesting traffic - 10.10.0.0/16-tunnel

    Thanks in advance!

    Hello

    I'm not 100% sure about from this that I have not been tested or had to do a similar before mounting.

    But you can try several things

    • Add an ACL statement at the TOP of the existing VPN L2L as a Deny statement. The ASA will give an error/warning message after that.

      • access-list deny ip 10.10.0.0 255.255.0.0
    • Configure the specific highest order number in the "crypto map" configurations and see if that helps

      • 10 set peer crypto card
      • map 1 set crypto peer

    You can naturally use 'packet - trace' and other commands of diagnosis to confirm that the current VPN L2L does not account the destination network 10.10.0.0/16

    Hope this helps

    -Jouni

  • VPN overlapping NAT

    Here is my config complete.

    Here are a few notes

    IP, obtained from the VPN 10.250.128.X

    LAN IP 192.168.0.0/24

    My atm VPN works #1 for those who don't

    What I want to do is Nat my VPN for this

    Example I want to access the computer 192.168.0.2 on the LAN of the company

    I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work

    Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)

    Can guys, help me, it's the ATM out of my knowledge and I

    ASA Version 8.2 (1)

    !

    Terminal width 250

    hostname hostname

    turn on d0/xPtlKePBzdYTe of encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.0.254 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 10.0.128.1 255.255.255.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    10 speed

    full duplex

    !

    interface Ethernet0/1

    10 speed

    full duplex

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa821 - k8.bin

    passive FTP mode

    grp_outside_in tcp service object-group

    Description Ports require for internal transfer

    EQ smtp port object

    EQ port ssh object

    access list inside-out extended ip allowed any one

    access list inside-out extended permit icmp any one

    permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

    list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0

    access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

    access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

    access list 101 scope ip allow a whole

    access-list 101 extended allow icmp a whole

    pager lines 34

    Enable logging

    timestamp of the record

    debug logging in buffered memory

    recording of debug trap

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 621.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access no_nat

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (outside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    http 192.168.0.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-md5-hmac floating

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic dyn1 1 set transform-set floating

    Crypto-map dynamic dyn1 1jeu reverse-road

    mobilemap 1 card crypto ipsec-isakmp dynamic dyn1

    mobilemap interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 192.168.0.0 255.255.255.0 inside

    SSH 10.0.128.0 255.255.255.0 inside

    SSH timeout 5

    SSH version 2

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal vpn group policy

    attributes of vpn group policy

    VPN - 50 simultaneous connections

    VPN-idle-timeout 2000

    VPN-session-timeout 2000

    internal mobile_policy group policy

    attributes of the strategy of group mobile_policy

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value

    admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username

    user1 gLGaPhl70GqS8DhN encrypted password username

    password encrypted user user2 Y7.fXmPk3FvKUGOO name

    type tunnel-group mobilegroup remote access

    tunnel-group mobilegroup General-attributes

    address mobilepool pool

    Group Policy - by default-mobile_policy

    mobilegroup group of tunnel ipsec-attributes

    pre-shared-key *.

    !

    Global class-card class

    match default-inspection-traffic

    inspection of the class-map

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:012d58f20bdf997d1e7b6927431e0015

    : end

    Hi Mr. Gyslain,

    So, if I understand, you want the following things

    • Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected

    To my knowledge, you should be able to handle this with the following changes to your configurations

    • Configure policy NAT
    • Changes to the rules of Tunnel from Split
    • Remove the existing NAT0 rule

    Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old

    Remove the NAT0 rule

    • no nat (inside) 0-list of access no_nat
    • No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0

    By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.

    Creating policy NAT

    • access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
    • public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0

    With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.

    Change the VPN Client Split tunnel

    • standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
    • attributes of the strategy of group mobile_policy
      • Split-tunnel-network-list value TUNNEL VPN-SPLIT

    The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.

    I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.

    With the above configuration, to my knowledge, everything should work.

    -Jouni

    EDIT: Some typos

    Edit2: Name group policy was wrong

  • VPN client with overlapping of private networks?

    I have a new client who needs to send us data occasionally, we normally install the Cisco VPN Client on their PC, but this client has the same private network, we.

    I know, but it could be done with policy NAT on my 5510 ASA with a VPN site-to site, the customer does not want to change the address or network hardware. They have router cable with no VPN option, and they are unwilling to spend more money on this project.

    Can this work if there is no overlapping of IP addresses?

    Your ACL SHEEP overlaps the static NAT and SHEEP has priority over the static NAT strategy strategy, why it does not work.

    Please kindly remove the following:

    access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

  • LAN-to-LAN IPsec VPN with overlapping networks problem

    I am trying to connect to two networks operlapping via IPsec. I already have google and read

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

    Details:

    Site_A use ASA 5510 with software version 8.0 (4) 32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (like vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.

    Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (mainly 10.100.x.0/24). I have not implemented this ASA, we took over this infrastructure without other documentation whatsoever.

    According to the above link I should use double NAT. Site_B will see the Site_A as 10.26.0.0/22 networks, and Site_A see networks in Site_B as 10.25.0.0/24. Site_A is allowed access only 10.100.1.0/24 in the Site_B, and Site_B is allowed access to all the networks of the Site_A 10.100.x.0/24 - so / 22 10.26.0.0/22 mask. I would like, for example, ssh to host in the Site_B to host the Site_A using 10.26.1.222 as the destination ip address (and it should be translated in 10.100.1.222 on the side Site_A). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only a part of the network address leave the intact host Party. Anyway, following the steps from the link displayed above everything is ok until the command:

    static (companyname, outside) 10.26.0.0 access list fake_nat_outbound

    which translates into:

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255

    WARNING: address real conflict with existing static

    TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255

    Those are redirects to port on Site_A used for mail, webmail, etc. What should I do to keep the redirects from the Internet to companyname vlan and at the same time to have work l2l ipsec tunnel linking networks that overlap?

    Thank you in advance for any help or advice.

    The ASA config snippet below:

    !

    ASA 4,0000 Version 32

    !

    no names

    name 10.25.0.0 siteB-fake-network description fake NAT network to avoid an overlap of intellectual property

    name 10.26.0.0 description of siteA-fake-network NAT fake network to avoid an overlap of intellectual property

    !

    interface Ethernet0/0

    Shutdown

    nameif inside

    security-level 100

    IP 10.200.32.254 255.255.255.0

    !

    interface Ethernet0/1

    nameif outside

    security-level 0

    IP address x.x.x.178 255.255.255.248

    !

    interface Ethernet0/2

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/2.10

    VLAN 10

    nameif companyname

    security-level 100

    IP 10.100.0.254 255.255.255.0

    !

    interface Ethernet0/2.20

    VLAN 20

    nameif wifi

    security-level 100

    the IP 10.0.0.1 255.255.255.240

    !

    interface Ethernet0/2.30

    VLAN 30

    nameif dmz

    security-level 50

    IP 10.0.30.1 255.255.255.248

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 10.100.100.1 255.255.255.0

    management only

    !

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    Group of objects in the inside network

    object-network 10.100.0.0 255.255.255.0

    object-network 10.100.1.0 255.255.255.0

    object-network 10.100.2.0 255.255.255.0

    DM_INLINE_TCP_1 tcp service object-group

    port-object eq 2221

    port-object eq 2222

    port-object eq 2223

    port-object eq 2224

    port-object eq 2846

    DM_INLINE_TCP_5 tcp service object-group

    port-object eq ftp

    port-object eq ftp - data

    port-object eq www

    EQ object of the https port

    object-group service DM_INLINE_SERVICE_1

    the eq field tcp service object

    the eq field udp service object

    DM_INLINE_TCP_6 tcp service object-group

    port-object eq 2221

    port-object eq 2222

    port-object eq 2223

    port-object eq 2224

    port-object eq 2846

    the DM_INLINE_NETWORK_1 object-group network

    object-network 10.100.0.0 255.255.255.0

    object-network 10.100.2.0 255.255.255.0

    standard access list securevpn_splitTunnelAcl allow 10.100.0.0 255.255.255.0

    outside_access_in list extended access permit tcp any host x.x.x.178 eq 50000

    outside_access_in list extended access permit tcp any host x.x.x.178 eq smtp

    outside_access_in list extended access permit tcp any host x.x.x.178 eq https

    outside_access_in list extended access permit tcp any host x.x.x.179 DM_INLINE_TCP_1 object-group

    outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp

    outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp - data

    outside_access_in list extended access permit tcp host 205.158.110.63 eq x.x.x.180 idle ssh

    access extensive list ip 10.100.0.0 inside_access_in allow 255.255.255.0 10.100.1.0 255.255.255.0

    inside_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

    inside_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

    inside_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

    inside_access_in list extended access permitted tcp object-group network inside any eq www

    inside_access_in list extended access permitted tcp object-group network inside any https eq

    inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

    inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

    inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

    inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

    inside_access_in list extended access allowed object-group network inside udp any eq field

    companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.1.0 255.255.255.0

    companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

    companyname_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

    companyname_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

    companyname_access_in list extended access permitted tcp object-group network inside any eq www

    companyname_access_in list extended access permitted tcp object-group network inside any https eq

    companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

    companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

    companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

    companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

    companyname_access_in list extended access allowed object-group network inside udp any eq field

    wifi_access_in list extended access permitted tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001

    access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

    access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.0.0 255.255.255.240

    access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

    access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.2.0 255.255.255.0

    access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

    access extensive list ip 10.100.1.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

    access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

    wifi_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.240 10.100.0.0 255.255.255.0

    dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 any DM_INLINE_TCP_5 object-group

    dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6

    dmz_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1

    dmz_access_in list extended access deny ip 10.0.30.0 255.255.255.248 all

    access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.0.0 255.255.255.0

    access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.99.0 255.255.255.0

    access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.2.0 255.255.255.0

    outside_1_cryptomap to access extended list ip 10.26.0.0 allow 255.255.252.0 10.25.0.0 255.255.255.0

    access extensive list ip 10.100.0.0 fake_nat_outbound allow 255.255.252.0 10.25.0.0 255.255.255.0

    IP local pool clientVPNpool 10.100.99.101 - 10.100.99.199 mask 255.255.255.0

    IP verify reverse path inside interface

    IP verify reverse path to the outside interface

    IP audit name IPS attack action alarm down reset

    IP audit name IPS - inf info action alarm

    interface verification IP outside of the IPS - inf

    verification of IP outside the SPI interface

    NAT-control

    Global (inside) 91 10.100.0.2

    Global (inside) 92 10.100.0.4

    Global (inside) 90 10.100.0.3 netmask 255.255.255.0

    Global interface 10 (external)

    Global x.x.x.179 91 (outside)

    Global x.x.x.181 92 (outside)

    Global (outside) 90 x.x.x.180 netmask 255.0.0.0

    interface of global (companyname) 10

    Global interface (dmz) 20

    NAT (outside) 10 10.100.99.0 255.255.255.0

    NAT (companyname) 0-list of access companyname_nat0_outbound

    NAT (companyname) 10 10.100.0.0 255.255.255.0

    NAT (companyname) 10 10.100.1.0 255.255.255.0

    NAT (companyname) 10 10.100.2.0 255.255.255.0

    wifi_nat0_outbound (wifi) NAT 0 access list

    NAT (dmz) 0-list of access dmz_nat0_outbound

    NAT (dmz) 10 10.0.30.0 255.255.255.248

    static (companyname, outside) tcp https 10.100.0.6 https interface subnet 255.255.255.255 mask

    static (companyname, outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255

    static (companyname, outside) interface 50000 10.100.0.128 TCP 3389 netmask 255.255.255.255

    static (companyname, external) x.x.x.181 2001 10.100.0.26 TCP 3389 netmask 255.255.255.255

    static (companyname, external) x.x.x.181 2002 10.100.0.27 TCP 3389 netmask 255.255.255.255

    static (companyname, outside) interface 2003 10.100.0.28 TCP 3389 netmask 255.255.255.255

    static (dmz, outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255

    static (companyname, companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0

    static (companyname, companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Access-group companyname_access_in in interface companyname

    Access-group wifi_access_in in wifi interface

    Access-group dmz_access_in in dmz interface

    Route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

    Companyname route 10.0.1.0 255.255.255.0 10.100.0.1 1

    Companyname route 10.100.1.0 255.255.255.0 10.100.0.1 1

    Companyname route 10.100.2.0 255.255.255.0 10.100.0.1 1

    dynamic-access-policy-registration DfltAccessPolicy

    !

    Crypto-map dynamic outside_dyn_map 20 set pfs

    Crypto-map dynamic outside_dyn_map 20 the transform-set ESP - 3DES - SHA TRANS_ESP_3DES_MD5 value

    life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

    Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

    PFS set 40 crypto dynamic-map outside_dyn_map

    Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

    life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

    Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

    cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    outside_map 1 counterpart set a.b.c.1 crypto card

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    !

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server WINS 10.100.0.3

    value of server DNS 10.100.0.3

    nom_societe.com value by default-field

    internal DefaultRAGroup_1 group strategy

    attributes of Group Policy DefaultRAGroup_1

    value of server DNS 10.100.0.3

    Protocol-tunnel-VPN l2tp ipsec

    internal group securevpn strategy

    securevpn group policy attributes

    value of server WINS 10.100.0.3 10.100.0.2

    value of 10.100.0.3 DNS server 10.100.0.2

    VPN-idle-timeout 30

    Protocol-tunnel-VPN IPSec

    nom_societe.com value by default-field

    attributes global-tunnel-group DefaultRAGroup

    address clientVPNpool pool

    authentication-server-group COMPANYNAME_AD

    Group Policy - by default-DefaultRAGroup_1

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    tunnel-group securevpn type remote access

    tunnel-group securevpn General attributes

    address clientVPNpool pool

    authentication-server-group COMPANYNAME_AD

    Group Policy - by default-securevpn

    tunnel-group securevpn ipsec-attributes

    pre-shared-key *.

    tunnel-group securevpn ppp-attributes

    ms-chap-v2 authentication

    tunnel-group a.b.c.1 type ipsec-l2l

    a.b.c.1 group tunnel ipsec-attributes

    pre-shared-key *.

    Are you sure that static-config does not make to the running configuration?

    By applying this 'static big' you're essentially trying to redirect the ports, which have already been transmitted by the rules in your existing configuration. This explains the caveat: what you are trying to do has some overlap with existing static.

    (Sorry for the use of the transmission of the word, but this behavior makes more sense if you look at it like this; although "port forwarding" is not Cisco-terminology.)

    But... whenever I stumbled upon this question, the warning was exactly that: a WARNING, not an ERROR. And everything works as I want it to work: the specific static in my current config simply have priority over static grand.

    If you would like to try to do the other opposite you would get an error (first static major, then try to apply more specific) and the config is not applied.

    So could you tell me the config is really not accepted?

  • IP overlapping between VPN remote access and within the interface

    Hi all

    I tried to replace an ASA and configured vpn for remote access using cisco VPN client.

    Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.

    One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.

    Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.

    ASA errors

    6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)

    6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)

    I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.

    I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.

    I agree what you said and also tried, but it does not work.

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

    Solution, that you already know

    Solution

    Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.

    Thank you

    Ajay

  • NAT on 8.3 and VPN tunnel with overlapping addresses

    Hi all

    I was looking at this document from Cisco and I think I understand how to convert the nat policy than the version 8.3 and later, but I was wondering what is happening to the acl crypto, you are always using the same as the older versions? As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?

    Example from the link:

     access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- This access list (new) is used with the crypto map (outside_map) !--- in order to determine which traffic should be encrypted !--- and sent across the tunnel. access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- The policy-nat ACL is used with the static !--- command in order to match the VPN traffic for translation. 
     static (inside,outside) 192.168.2.0 access-list policy-nat !--- It is a Policy NAT statement. !--- The static command with the access list (policy-nat), !--- which matches the VPN traffic and translates the source (192.168.1.0) to !--- 192.168.2.0 for outbound VPN traffic.
     crypto map outside_map 20 match address new !--- Define which traffic should be sent to the IPsec peer with the !--- access list (new).

    Thank you

    V

    Hi rc001g0241,

    I posted your question for clarity sake along.

    "what happens to the crypto acl, always use you even as older versions?"

    As you can see, Cisco doc you posted shows that you need to target for crypto engine is what happens after the nat policy has succeeded, illustrated here: "address match map crypto outside_map 20 new".

    "As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?

    There is no such requirement and ACL target you in the engine crytop for the tunnel bound traffic can be a natted post address, that's what shows Cisco Doc and it is correct.

    Hope that answers your questions.

    Thank you

    Rizwan James

  • PIX with VPN to Checkpoint with overlapping subnets

    I have a client with a PIX runs code 6.3.

    They need establish an IPSec Tunnel for one of its customers with a Checkpoint firewall.

    Both organizations use 10.1.0.0/16 and I'd like to nat to 10.180.0.0 Home Office 16 and the remote client to 10.181.0.0.

    The document on the site Web of Cisco PIX and VPN concentrators is less useful. I don't think the text describing the image is correct.

    Help with ACL and static NAT is greatly appreciated.

    Frederik

    Apologies, should have asked. Which office has the pix and the control point. I write this as if the two ends were firewall pix so that's fine and we can see if that helps.

    Remote endpoint

    ==========

    NAT 10.1.0.0 ip access list allow 255.255.255.0 host 10.180.1.103

    NAT (inside) 3 access list NAT

    Global (outside) 10.181.0.0 255.255.0.0

    NOTE: You could really just NAT addresses 10.1.x.x from source to a global IP address rather than the whole 10.181.0.0/16 up to you.

    Your card crypto access list must then refer to the addressing of Natted 10.181.x.x rather than the 10.1.0.0 address.

    vpntraffic list access ip 10.181.0.0 255.255.0.0 allow host 10.180.1.103

    Main office

    ===========

    crpyto-access list should read

    vpntraffic list allowed access host 10.180.1.103 ip 10.181.0.0 255.255.0.0

    And you will need a static translation for client access

    public static 10.180.1.103 (Interior, exterior) 10.1.1.103 netmask 255.255.255.255

    Does that help?

    Jon

  • [VPN Site-to-Site] Network that overlap

    Hello

    We have a Cisco ASA 9.1 and many VPN clients that work very well to this topic.

    Now, he must connect to a partner with VPN Site to Site site.

    We have a few problems:

    • Duplication of IP address (we use 10.145.0.0/16 10.0.0.0/8 and partner use)
    • Partner cannot use NAT on the router

    What are the best solutions to configure the VPN Site to Site?

    Thanks for your help,

    Patrick

    Hi Patrick,

    Best option here is that you can specify the required subnets only in the field of /encryption cryptomap...

    said in other 10.0.0.0/8 need access only a few subnets 10.1.0.0/24, 10.10.20.0/24... You can specify only in your crypto acl... Alternatively, you can use refuse instruction for the specific 10.145.0.0/16 crypto card but am not sure if this gives you the best result.

    If you have the required access is mixed with several 10.x.x.x/8 instructions... then you can have the crypto ACL like sub areas of encryption... Here you jump only 10.145.0.0/16 of the subnet range...

    10.0.0.0/9 to 10.145.0.0/16
    10.128.0.0/12 to 10.145.0.0/16
    10.146.0.0/15 to 10.145.0.0/16
    10.148.0.0/14 to 10.145.0.0/16
    10.152.0.0/13 to 10.145.0.0/16
    10.160.0.0/11 to 10.145.0.0/16

    10.192.0.0/10 to 10.145.0.0/16

    but make sure you have not all servers in 10.145.0.0/16 on your local network that the client requires access...

    Link to have refuse to crypto ACL'; s

    https://supportforums.Cisco.com/discussion/10909276/crypto-ACL-question

    Concerning

    Knockaert

  • Tunnel from site to site VPN that overlap within the network

    Hi all

    I need to connect 2 networks via a tunnel VPN site to site. On the one hand, there is a 506th PIX by the termination of the VPN. The other side, I'm not too sure yet.

    However, what I know, is that both sides of the tunnel using the exact same IP subnet 192.168.1.0/24.

    This creates a problem when I need to define the Routing and the others when it comes to VPN and what traffic should be secure etc.

    However, read a lot for the review of CERT. Adv. Cisco PIX and noticed that outside NAT can solve my 'small' problem.

    That's all it is said, but I'd really like to see an example of configuration of this or hear from someone who has implemented it.

    Anyone?

    Steffen

    How is it then?

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

  • Problem VPN site to Site with overlapping networks

    We currently have a PIX 515E firewall as a headboard with many tunnels of site-to-site configured for her with the enpoints of PIX 506. Our internal LAN addressing scheme is 172.18.0.0 255.255.0.0. Addresses of local network in two of the remote networks with congigured VPN site-to-site are 172.18.107.0 255.255.255.224 and 172.18.107.32 255.255.255.0. Remote network access to all services on our internal network very well. We have 20 other network segments configured the same way. The 172.18.107.32.0 network needs to communicate with the 172.18.107.0 network for the services of file on the other remote PIX. Since the station PIX will not allow traffic to leave the same interface it came we thought with him we would just set up a tunnel from site to site between the two remote LAN. After the configuration of the site to another remote firewalls do not appear to try to establish tunnels when sending valuable traffic. I turned on debug for ISAKMP and nothing is either sent or received on a remote Firewall with regard to these tunnels. It's almost like since we already have a tunnel set to our 172.18.0.0 internal LAN that the remote PIX will not build specifically to 172.18.107.0 tunnel. I am able to ping each remote peer with each other and hear protection rules, but nothing has ever been established.

    Is what we are trying to do possible? Sorry for the long post but the kind of a strange scenario. Thanks in advance for any help.

    In what order are the numbers of seqence card crypto for configuring vpn on pix distance units? It could be that you are trying to install is a lot and will be checked later as head of pix. If this is the case, then yes the 172.18/16 road prevail the 172.18.107/24. Try to rebuild the entrance card crypto with a lower number so that traffic to 172.18.107/24 comes first.

    I would like to know how it works.

Maybe you are looking for