Solved

Cisco ASA 5500 - How can I VPN to a site that has overlapping subnets with my Cisco ASA's local LAN?

Posted on 2014-01-08
17
1,579 Views
Last Modified: 2014-02-26
I have a Cisco ASA 5505 running 8.2.5 firmware.  I have to VPN with a subnet that has the same IP range as my site, but I need to be able to be the initiator as WELL as the responder.  I'm not sure what the best way to do this is?

My site:  10.0.1.0/24
Remote site:  10.0.1.0/24

My initial thought was to Policy-Nat both sides with a NAT OVERLOAD, which would work fine, but I need to be able to talk back to (2) specific hosts on that LAN, and that LAN needs to be able to talk back to (2) specific hosts on MY LAN.

MY LAN:  10.0.1.50, 10.0.1.51 needs to talk to the remote sites IP's:  10.0.1.100, 10,0,1,101.

My thought was:

NAT my site as:  172.16.10.0/24
NAT remote site to me as:  192.168.10.0/24

on my side:  
host 1 - 172.16.10.50
host 2 - 172.16.10.51

on remote site:

host 1 - 192.168.10.100
host 2 - 192.168.10.101

interesting traffic acl:  172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0

Normally, I would also include a NAT (inside) 0 statement that matches the interesting traffic ACL so that it does not NAT, but in this case I DO want these hosts to 1-to-1 NAT as 172.16.10.50,51 to inside 10.0.1.50,51....so do I skip the NAT (INSIDE) 0?  

Also, does this get complicated if those hosts have any static (inside,outside) relationships with the OUTSIDE interface?  Say, one of them is serving a web server or email server?  I know how to do a P-NAT to send these hosts out as the specific IP's that I want them to send out as:

access-list PNAT-1 permit ip host 10.0.1.50 192.168.10.0 255.255.255.0
access-list PNAT-2 permit ip host 10.0.1.51 192.168.10.0 255.255.255.0
global (outside) 10 172.16.10.50
global (outside) 11 172.16.10.51
nat (inside) 10 access-list PNAT-1
nat (inside) 11 access-list PNAT-2

But how can I get 172.16.10.50,51 to accept inbound traffic on all ports and pass it to inside host 10.0.1.50,51?  

Once I know how to set site 1 up, the second site is just a reflection of that...but I keep getting stuck on the NAT INBOUND (static inside, outside).  The VPN comes up, but I can't get the hosts to talk.
0
Comment
Question by:jkeegan123
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 5

Author Comment

by:jkeegan123
ID: 39766930
both sites are ASA's with the same firmware.
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 39766931
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39767039
Agreed, static NAT.

Do not accept my answer as it's all in that link.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39767057
What about the static communication between the hosts on each natted subnet? In the article it describes pulling this off with a static inside,outside and an access list for policy nat...but what will the results be when talking to the destination subnet? Will all ips on the destination translated subnet be accessible automatically? I expected having to map 1 to 1...can anyone elaborate? The example is a bit thin on the resulting details.

Thanks!
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 39767081
All IPs should be available. Basically the policy NAT is changing the internal IP range on each router to be something else when it passes through the interfaces. In their example ASA-1 becomes 192.168.2.0 to the other router. And ASA-2 becomes 192.168.3.0 to the other router.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39767096
So it's a wildcard for the last octet? All is transposed to the translated subnet except for the last octet? So 10.0.1.0/24 translates to 172.16.10.0, and 10.0.1.50 becomes 172.16.10.50?
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 39767128
Actually not really. Your 10.0.1.0/24 is being translated to a completely new LAN that doesn't physically exist, if that's the best way to describe it,

So if we use your IPs as an example and bringing in the flavor of this article.

They would make:

Local Site
10.0.1.0/24 translates to a brand new subnet 10.0.2.0/24 (assuming that doesn't exist in either environment already).

And

Remote Site:
10.0.1.0/24 translates to another brand new subnet, 10.0.3.0/24 (assuming that also doesn't already exist in either network)

These subnets in essence only really exist on each router and not physically. The VPN tunnel at each end only is aware of either 10.0.2.0/24 and 10.0.3.0/24. Once traffic arrives back at each site it is NATed back to its original 10.0.1.0.

Hope this helps.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39767146
But in order to access the hosts on the now translated lan at the destination, what ip do I call? If the destination real ip is 10.0.1.10, and I'm translating to 10.0.3.0/24, do I call 10.0.3.10,in order to access the sql server on 10.0.1.10?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39767979
Simply do not include your inside to their inside in the NONAT and have your encryption domain be your public to their private.

That's it.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39768000
I have just tested this out and I was able to get the tunnel to come up very easily and the subnet appears to be natted on both sides to an alternate subnet, but I am unable to hit any of the hosts that I need to hit on those respective VPNs either on the local side to the remote side or from the remote side to the local side. Does there also need to be a static one to one for specific translated IP on that new translated submit to their individual real I Ip's?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39768025
If you have enough spare public IPs for the inside subnet, do a static NAT for the two IPs you need in the VPN and don't include your inside to their inside in your nonat statements.

Your encryption domain can be your entire public subnet.  If you don't have enough public IPs, ask your provider for a /29.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39768095
All public ips in my /29 are in use, how can this be done with the translated ips?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39768149
Do you have two public IPs that you can use to statically NAT those two inside IPs needed for the VPN?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39768169
static (inside,outside) PUBLIC_IP_1  10.0.1.50 netmask 255.255.255.255
static (outside,inside) 10.0.1.50 PUBLIC_IP_1 netmask 255.255.255.255

static (inside,outside) PUBLIC_IP_2 10.0.1.51 netmask 255.255.255.255
static (outside,inside) 10.0.1.51 PUBLIC_IP_2 netmask 255.255.255.255

access-list VPN extended permit ip YOUR_PUBLIC_SUBNET MASK 192.168.10.0 255.255.255.0

crypto map SOME_NAME 10 match address VPN

(changing the "10" above to whatever ruleset you are using).
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39768199
Not Public IP's, but in the examples I was natting to 172.16.10.0/24, so 10.0.1.50 would become 172.16.10.50...would I do a static (inside,outside) 172.16.10.50 access-list PNAT-acl ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39768263
That should work.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39889979
By the way, this never was able to work and now this is coming up again...does anyone have example configurations of this working?  I have to VPN 2 sites with the same PRIVATE subnet.  Given the examples above, I was not able to do:

- Leave out my private subnet from the NONAT and set encryption domain to my private to their public - THIS DIDN'T WORK BECAUSE I NEED TO ACCESS 7 SPECIFIC HOSTS ON THEIR INSIDE NETWORK ACROSS THE VPN.
- PUBLIC NAT to PRIVATE NAT plus VPN - I only have a /29 (5 usable IP addresses) so this will not work for the 7 hosts that I have to access
- In the Cisco example article at the top, it LOOKS like I should be able to do a complete NAT HIDE and wildcard everything except for the last octet, but this did NOT work to pass traffic to specific hosts (even though the tunnel DID come up).

Can we wake this issue up?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now