Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1782
  • Last Modified:

Cisco ASA 5500 - How can I VPN to a site that has overlapping subnets with my Cisco ASA's local LAN?

I have a Cisco ASA 5505 running 8.2.5 firmware.  I have to VPN with a subnet that has the same IP range as my site, but I need to be able to be the initiator as WELL as the responder.  I'm not sure what the best way to do this is?

My site:  10.0.1.0/24
Remote site:  10.0.1.0/24

My initial thought was to Policy-Nat both sides with a NAT OVERLOAD, which would work fine, but I need to be able to talk back to (2) specific hosts on that LAN, and that LAN needs to be able to talk back to (2) specific hosts on MY LAN.

MY LAN:  10.0.1.50, 10.0.1.51 needs to talk to the remote sites IP's:  10.0.1.100, 10,0,1,101.

My thought was:

NAT my site as:  172.16.10.0/24
NAT remote site to me as:  192.168.10.0/24

on my side:  
host 1 - 172.16.10.50
host 2 - 172.16.10.51

on remote site:

host 1 - 192.168.10.100
host 2 - 192.168.10.101

interesting traffic acl:  172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0

Normally, I would also include a NAT (inside) 0 statement that matches the interesting traffic ACL so that it does not NAT, but in this case I DO want these hosts to 1-to-1 NAT as 172.16.10.50,51 to inside 10.0.1.50,51....so do I skip the NAT (INSIDE) 0?  

Also, does this get complicated if those hosts have any static (inside,outside) relationships with the OUTSIDE interface?  Say, one of them is serving a web server or email server?  I know how to do a P-NAT to send these hosts out as the specific IP's that I want them to send out as:

access-list PNAT-1 permit ip host 10.0.1.50 192.168.10.0 255.255.255.0
access-list PNAT-2 permit ip host 10.0.1.51 192.168.10.0 255.255.255.0
global (outside) 10 172.16.10.50
global (outside) 11 172.16.10.51
nat (inside) 10 access-list PNAT-1
nat (inside) 11 access-list PNAT-2

But how can I get 172.16.10.50,51 to accept inbound traffic on all ports and pass it to inside host 10.0.1.50,51?  

Once I know how to set site 1 up, the second site is just a reflection of that...but I keep getting stuck on the NAT INBOUND (static inside, outside).  The VPN comes up, but I can't get the hosts to talk.
0
jkeegan123
Asked:
jkeegan123
  • 8
  • 5
  • 3
  • +1
1 Solution
 
jkeegan123Author Commented:
both sites are ASA's with the same firmware.
0
 
Gareth GudgerCommented:
0
 
Netman66Commented:
Agreed, static NAT.

Do not accept my answer as it's all in that link.
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
jkeegan123Author Commented:
What about the static communication between the hosts on each natted subnet? In the article it describes pulling this off with a static inside,outside and an access list for policy nat...but what will the results be when talking to the destination subnet? Will all ips on the destination translated subnet be accessible automatically? I expected having to map 1 to 1...can anyone elaborate? The example is a bit thin on the resulting details.

Thanks!
0
 
Gareth GudgerCommented:
All IPs should be available. Basically the policy NAT is changing the internal IP range on each router to be something else when it passes through the interfaces. In their example ASA-1 becomes 192.168.2.0 to the other router. And ASA-2 becomes 192.168.3.0 to the other router.
0
 
jkeegan123Author Commented:
So it's a wildcard for the last octet? All is transposed to the translated subnet except for the last octet? So 10.0.1.0/24 translates to 172.16.10.0, and 10.0.1.50 becomes 172.16.10.50?
0
 
Gareth GudgerCommented:
Actually not really. Your 10.0.1.0/24 is being translated to a completely new LAN that doesn't physically exist, if that's the best way to describe it,

So if we use your IPs as an example and bringing in the flavor of this article.

They would make:

Local Site
10.0.1.0/24 translates to a brand new subnet 10.0.2.0/24 (assuming that doesn't exist in either environment already).

And

Remote Site:
10.0.1.0/24 translates to another brand new subnet, 10.0.3.0/24 (assuming that also doesn't already exist in either network)

These subnets in essence only really exist on each router and not physically. The VPN tunnel at each end only is aware of either 10.0.2.0/24 and 10.0.3.0/24. Once traffic arrives back at each site it is NATed back to its original 10.0.1.0.

Hope this helps.
0
 
jkeegan123Author Commented:
But in order to access the hosts on the now translated lan at the destination, what ip do I call? If the destination real ip is 10.0.1.10, and I'm translating to 10.0.3.0/24, do I call 10.0.3.10,in order to access the sql server on 10.0.1.10?
0
 
Jan SpringerCommented:
Simply do not include your inside to their inside in the NONAT and have your encryption domain be your public to their private.

That's it.
0
 
jkeegan123Author Commented:
I have just tested this out and I was able to get the tunnel to come up very easily and the subnet appears to be natted on both sides to an alternate subnet, but I am unable to hit any of the hosts that I need to hit on those respective VPNs either on the local side to the remote side or from the remote side to the local side. Does there also need to be a static one to one for specific translated IP on that new translated submit to their individual real I Ip's?
0
 
Jan SpringerCommented:
If you have enough spare public IPs for the inside subnet, do a static NAT for the two IPs you need in the VPN and don't include your inside to their inside in your nonat statements.

Your encryption domain can be your entire public subnet.  If you don't have enough public IPs, ask your provider for a /29.
0
 
jkeegan123Author Commented:
All public ips in my /29 are in use, how can this be done with the translated ips?
0
 
Jan SpringerCommented:
Do you have two public IPs that you can use to statically NAT those two inside IPs needed for the VPN?
0
 
Jan SpringerCommented:
static (inside,outside) PUBLIC_IP_1  10.0.1.50 netmask 255.255.255.255
static (outside,inside) 10.0.1.50 PUBLIC_IP_1 netmask 255.255.255.255

static (inside,outside) PUBLIC_IP_2 10.0.1.51 netmask 255.255.255.255
static (outside,inside) 10.0.1.51 PUBLIC_IP_2 netmask 255.255.255.255

access-list VPN extended permit ip YOUR_PUBLIC_SUBNET MASK 192.168.10.0 255.255.255.0

crypto map SOME_NAME 10 match address VPN

(changing the "10" above to whatever ruleset you are using).
0
 
jkeegan123Author Commented:
Not Public IP's, but in the examples I was natting to 172.16.10.0/24, so 10.0.1.50 would become 172.16.10.50...would I do a static (inside,outside) 172.16.10.50 access-list PNAT-acl ?
0
 
Jan SpringerCommented:
That should work.
0
 
jkeegan123Author Commented:
By the way, this never was able to work and now this is coming up again...does anyone have example configurations of this working?  I have to VPN 2 sites with the same PRIVATE subnet.  Given the examples above, I was not able to do:

- Leave out my private subnet from the NONAT and set encryption domain to my private to their public - THIS DIDN'T WORK BECAUSE I NEED TO ACCESS 7 SPECIFIC HOSTS ON THEIR INSIDE NETWORK ACROSS THE VPN.
- PUBLIC NAT to PRIVATE NAT plus VPN - I only have a /29 (5 usable IP addresses) so this will not work for the 7 hosts that I have to access
- In the Cisco example article at the top, it LOOKS like I should be able to do a complete NAT HIDE and wildcard everything except for the last octet, but this did NOT work to pass traffic to specific hosts (even though the tunnel DID come up).

Can we wake this issue up?
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now