VPN to multiple offices with similar network schemes is not working.

Hello Experts...

I have about 5 point to point vpn's between remote offices and unfortunately several of the offices have similar network address schemes.  Fortunately they are different enough to allow the vpn's to route traffic.
Office 1  10.0.0.0 netmask 255.255.255.0
Office 2  10.50.0.0 netmask 255.255.255.0
Office 3  10.0.1.0 netmask 255.255.255.0
Main office where all the vpn's terminate 10.1.200.0 255.255.255.0
each of the offices can connect and if i keep clearing the ipsec sa and isakmp sa's on the firewalls eventually all of them will come up.  Evidently one or more of them are conflicting with the others.
Each remote are either 501 or 506's all at 6.3.5 and the main is a 515 at 8.2
All vpns are point to point static ip addresses.

Any help is greatly appreciated.

Brian
LVL 2
brian_appliedcpuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brian_appliedcpuAuthor Commented:
Here is the vpn portion of the main firewall

access-list 100 extended permit ip host 10.1.200.9 host 10.0.130.2
access-list 100 extended permit ip host 10.1.200.8 host 10.0.130.2
access-list 100 extended permit ip host 10.1.200.9 host 192.168.10.2
access-list 100 extended permit ip host 10.1.200.9 host 192.168.10.12
access-list 100 extended permit ip host 10.1.200.9 10.50.0.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.5 10.0.110.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.9 10.0.0.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.5 192.168.1.0 255.255.255.0
access-list 120 extended permit ip host 10.1.200.9 host 10.0.130.2
access-list 120 extended permit ip host 10.1.200.8 host 10.0.130.2
access-list 130 extended permit ip host 10.1.200.5 192.168.1.0 255.255.255.0
access-list 150 extended permit ip host 10.1.200.5 10.0.110.0 255.255.255.0
access-list 110 extended permit ip host 10.1.200.9 10.50.0.0 255.255.255.0
access-list 160 extended permit ip host 10.1.200.9 10.0.0.0 255.255.255.0
access-list 135 extended permit ip host 10.1.200.9 host 192.168.10.2
access-list 135 extended permit ip host 10.1.200.9 host 192.168.10.12
access-list 210 extended permit ip 10.1.200.0 255.255.255.0 10.0.200.0 255.255.255.255


crypto ipsec transform-set vpnclientset esp-3des esp-md5-hmac
crypto ipsec transform-set DV-clientset esp-des esp-md5-hmac
crypto ipsec transform-set Dynamic-Client-Set esp-des esp-md5-hmac
crypto dynamic-map DynamicClientGroup 50 set transform-set Dynamic-Client-Set
crypto dynamic-map DynamicClientGroup 50 set reverse-route
crypto map VPNClientMap 50 ipsec-isakmp dynamic DynamicClientGroup
crypto map VPNClientMap 110 match address 110
crypto map VPNClientMap 110 set peer 162.xx.119.18
crypto map VPNClientMap 110 set transform-set DV-clientset
crypto map VPNClientMap 120 match address 120
crypto map VPNClientMap 120 set peer 166.xx.182.171
crypto map VPNClientMap 120 set transform-set vpnclientset DV-clientset
crypto map VPNClientMap 130 match address 130
crypto map VPNClientMap 130 set peer 24.xx.73.130
crypto map VPNClientMap 130 set transform-set DV-clientset
crypto map VPNClientMap 135 match address 135
crypto map VPNClientMap 135 set peer 24.xx.188.106
crypto map VPNClientMap 135 set transform-set DV-clientset
crypto map VPNClientMap 150 match address 150
crypto map VPNClientMap 150 set peer 66.xx.82.137
crypto map VPNClientMap 150 set transform-set DV-clientset
crypto map VPNClientMap 160 match address 160
crypto map VPNClientMap 160 set peer 24.xx.92.218
crypto map VPNClientMap 160 set transform-set DV-clientset
crypto map VPNClientMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal

group-policy remotegrp internal
group-policy remotegrp attributes
 dns-server value 10.1.200.6
 vpn-idle-timeout 60
 default-domain value appliedcpu.com
 user-authentication disable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 166.xx.182.171 type ipsec-l2l
tunnel-group 166.xx.182.171 ipsec-attributes
 pre-shared-key *
tunnel-group 24.xx.73.130 type ipsec-l2l
tunnel-group 24.xx.73.130 ipsec-attributes
 pre-shared-key *
tunnel-group 66.xx.82.137 type ipsec-l2l
tunnel-group 66.xx.82.137 ipsec-attributes
 pre-shared-key *
tunnel-group 162.xx.119.18 type ipsec-l2l
tunnel-group 162.xx.119.18 ipsec-attributes
 pre-shared-key *
tunnel-group 24.xx.92.218 type ipsec-l2l
tunnel-group 24.xx.92.218 ipsec-attributes
 pre-shared-key *
tunnel-group 24.xx.188.106 type ipsec-l2l
tunnel-group 24.xx.188.106 ipsec-attributes
 pre-shared-key *
tunnel-group remotegrp type remote-access
tunnel-group remotegrp general-attributes
 address-pool clientpool
 default-group-policy remotegrp
tunnel-group remotegrp ipsec-attributes
 pre-shared-key *
prompt hostname context

: end
0
retechguysCommented:
If the networks your VPNing into have the same IP scheme example 192.168.1.x you will have issues.  Not sure why, but have run into it in the past you can create connections but the routing for the network doesnt work right.  The easy fix in some cases is just changing the IP schemes in the remote workplaces.  If that is feasable in your setup.
0
brian_appliedcpuAuthor Commented:
The easy fix is unfortunately not really an option as we add more vpn's in the future we will inevitably run into the same issue of overlapping networks.   There must be a solution somewhere.  I remember several years ago when doing a pix to client vpn where the home users ip network # was the same as the main office and we did some sort of static translation so it appeared as though he was coming from another network....unfortunately I cant remember what we did.
0
Rob WilliamsCommented:
Brian, I appreciate the invitation to assist you with your question, but I am afraid I am no help with Cisco. My knowledge on this subject is very limited. I must say I fail to see the overlap in your initial question.

However, the question, "dealing with similar networks ", does come up frequently. In most cases it's not possible to have overlapping subnets, but with Cisco I have seen several Experts advise as to how to deal with this. In the past the following article has been referenced frequently:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
You might want to search with-in Experts-Exchange for "same subnets" or "Overlapping networks", there are numerous posts similar to:
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21560159.html?sfQueryTermInfo=1+same+subnet
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22849594.html?sfQueryTermInfo=1+same+subnet

I would also recommend posting a 20 point (pointer) question asking for assistance with this in the Cisco forum:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/

Good luck with it.
--Rob
0
brian_appliedcpuAuthor Commented:
I called cisco and resolved the issue as follows:

We issued the following commands to decrease the priority of the dynamic crypto map(increase the priority number to 655) to resolve the issue:-
no crypto map VPNClientMap 50 ipsec-isakmp dynamic DynamicClientGroup
crypto map VPNClientMap 655 ipsec-isakmp dynamic DynamicClientGroup

What was happening was that the static clients were binding to the dynamic crypto on the main and not their individual crypto.
This now allows the tunnels to stay up all the time with no issues.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.