brian_appliedcpu
asked on
VPN to multiple offices with similar network schemes is not working.
Hello Experts...
I have about 5 point to point vpn's between remote offices and unfortunately several of the offices have similar network address schemes. Fortunately they are different enough to allow the vpn's to route traffic.
Office 1 10.0.0.0 netmask 255.255.255.0
Office 2 10.50.0.0 netmask 255.255.255.0
Office 3 10.0.1.0 netmask 255.255.255.0
Main office where all the vpn's terminate 10.1.200.0 255.255.255.0
each of the offices can connect and if i keep clearing the ipsec sa and isakmp sa's on the firewalls eventually all of them will come up. Evidently one or more of them are conflicting with the others.
Each remote are either 501 or 506's all at 6.3.5 and the main is a 515 at 8.2
All vpns are point to point static ip addresses.
Any help is greatly appreciated.
Brian
I have about 5 point to point vpn's between remote offices and unfortunately several of the offices have similar network address schemes. Fortunately they are different enough to allow the vpn's to route traffic.
Office 1 10.0.0.0 netmask 255.255.255.0
Office 2 10.50.0.0 netmask 255.255.255.0
Office 3 10.0.1.0 netmask 255.255.255.0
Main office where all the vpn's terminate 10.1.200.0 255.255.255.0
each of the offices can connect and if i keep clearing the ipsec sa and isakmp sa's on the firewalls eventually all of them will come up. Evidently one or more of them are conflicting with the others.
Each remote are either 501 or 506's all at 6.3.5 and the main is a 515 at 8.2
All vpns are point to point static ip addresses.
Any help is greatly appreciated.
Brian
If the networks your VPNing into have the same IP scheme example 192.168.1.x you will have issues. Not sure why, but have run into it in the past you can create connections but the routing for the network doesnt work right. The easy fix in some cases is just changing the IP schemes in the remote workplaces. If that is feasable in your setup.
ASKER
The easy fix is unfortunately not really an option as we add more vpn's in the future we will inevitably run into the same issue of overlapping networks. There must be a solution somewhere. I remember several years ago when doing a pix to client vpn where the home users ip network # was the same as the main office and we did some sort of static translation so it appeared as though he was coming from another network....unfortunately I cant remember what we did.
Brian, I appreciate the invitation to assist you with your question, but I am afraid I am no help with Cisco. My knowledge on this subject is very limited. I must say I fail to see the overlap in your initial question.
However, the question, "dealing with similar networks ", does come up frequently. In most cases it's not possible to have overlapping subnets, but with Cisco I have seen several Experts advise as to how to deal with this. In the past the following article has been referenced frequently:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
You might want to search with-in Experts-Exchange for "same subnets" or "Overlapping networks", there are numerous posts similar to:
https://www.experts-exchange.com/questions/21560159/PIX-to-PIX-with-same-IP-Scheme.html?sfQueryTermInfo=1+same+subnet
https://www.experts-exchange.com/questions/22849594/Site-to-Site-vpn-with-same-internal-ip-scheme-Extremely-Urgent.html?sfQueryTermInfo=1+same+subnet
I would also recommend posting a 20 point (pointer) question asking for assistance with this in the Cisco forum:
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/
Good luck with it.
--Rob
However, the question, "dealing with similar networks ", does come up frequently. In most cases it's not possible to have overlapping subnets, but with Cisco I have seen several Experts advise as to how to deal with this. In the past the following article has been referenced frequently:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
You might want to search with-in Experts-Exchange for "same subnets" or "Overlapping networks", there are numerous posts similar to:
https://www.experts-exchange.com/questions/21560159/PIX-to-PIX-with-same-IP-Scheme.html?sfQueryTermInfo=1+same+subnet
https://www.experts-exchange.com/questions/22849594/Site-to-Site-vpn-with-same-internal-ip-scheme-Extremely-Urgent.html?sfQueryTermInfo=1+same+subnet
I would also recommend posting a 20 point (pointer) question asking for assistance with this in the Cisco forum:
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/
Good luck with it.
--Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
access-list 100 extended permit ip host 10.1.200.9 host 10.0.130.2
access-list 100 extended permit ip host 10.1.200.8 host 10.0.130.2
access-list 100 extended permit ip host 10.1.200.9 host 192.168.10.2
access-list 100 extended permit ip host 10.1.200.9 host 192.168.10.12
access-list 100 extended permit ip host 10.1.200.9 10.50.0.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.5 10.0.110.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.9 10.0.0.0 255.255.255.0
access-list 100 extended permit ip host 10.1.200.5 192.168.1.0 255.255.255.0
access-list 120 extended permit ip host 10.1.200.9 host 10.0.130.2
access-list 120 extended permit ip host 10.1.200.8 host 10.0.130.2
access-list 130 extended permit ip host 10.1.200.5 192.168.1.0 255.255.255.0
access-list 150 extended permit ip host 10.1.200.5 10.0.110.0 255.255.255.0
access-list 110 extended permit ip host 10.1.200.9 10.50.0.0 255.255.255.0
access-list 160 extended permit ip host 10.1.200.9 10.0.0.0 255.255.255.0
access-list 135 extended permit ip host 10.1.200.9 host 192.168.10.2
access-list 135 extended permit ip host 10.1.200.9 host 192.168.10.12
access-list 210 extended permit ip 10.1.200.0 255.255.255.0 10.0.200.0 255.255.255.255
crypto ipsec transform-set vpnclientset esp-3des esp-md5-hmac
crypto ipsec transform-set DV-clientset esp-des esp-md5-hmac
crypto ipsec transform-set Dynamic-Client-Set esp-des esp-md5-hmac
crypto dynamic-map DynamicClientGroup 50 set transform-set Dynamic-Client-Set
crypto dynamic-map DynamicClientGroup 50 set reverse-route
crypto map VPNClientMap 50 ipsec-isakmp dynamic DynamicClientGroup
crypto map VPNClientMap 110 match address 110
crypto map VPNClientMap 110 set peer 162.xx.119.18
crypto map VPNClientMap 110 set transform-set DV-clientset
crypto map VPNClientMap 120 match address 120
crypto map VPNClientMap 120 set peer 166.xx.182.171
crypto map VPNClientMap 120 set transform-set vpnclientset DV-clientset
crypto map VPNClientMap 130 match address 130
crypto map VPNClientMap 130 set peer 24.xx.73.130
crypto map VPNClientMap 130 set transform-set DV-clientset
crypto map VPNClientMap 135 match address 135
crypto map VPNClientMap 135 set peer 24.xx.188.106
crypto map VPNClientMap 135 set transform-set DV-clientset
crypto map VPNClientMap 150 match address 150
crypto map VPNClientMap 150 set peer 66.xx.82.137
crypto map VPNClientMap 150 set transform-set DV-clientset
crypto map VPNClientMap 160 match address 160
crypto map VPNClientMap 160 set peer 24.xx.92.218
crypto map VPNClientMap 160 set transform-set DV-clientset
crypto map VPNClientMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
group-policy remotegrp internal
group-policy remotegrp attributes
dns-server value 10.1.200.6
vpn-idle-timeout 60
default-domain value appliedcpu.com
user-authentication disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 166.xx.182.171 type ipsec-l2l
tunnel-group 166.xx.182.171 ipsec-attributes
pre-shared-key *
tunnel-group 24.xx.73.130 type ipsec-l2l
tunnel-group 24.xx.73.130 ipsec-attributes
pre-shared-key *
tunnel-group 66.xx.82.137 type ipsec-l2l
tunnel-group 66.xx.82.137 ipsec-attributes
pre-shared-key *
tunnel-group 162.xx.119.18 type ipsec-l2l
tunnel-group 162.xx.119.18 ipsec-attributes
pre-shared-key *
tunnel-group 24.xx.92.218 type ipsec-l2l
tunnel-group 24.xx.92.218 ipsec-attributes
pre-shared-key *
tunnel-group 24.xx.188.106 type ipsec-l2l
tunnel-group 24.xx.188.106 ipsec-attributes
pre-shared-key *
tunnel-group remotegrp type remote-access
tunnel-group remotegrp general-attributes
address-pool clientpool
default-group-policy remotegrp
tunnel-group remotegrp ipsec-attributes
pre-shared-key *
prompt hostname context
: end