?
Solved

ASA L2L with overlap

Posted on 2014-08-27
3
Medium Priority
?
292 Views
Last Modified: 2014-08-28
Hello,

I know this might be an easy one for many, but I keep loosing my place in the flow of the configuration and I need help completing this by COB tomorrow EST.

I have the standard issue of trying to configure a L2L tunnel between these 2 ASAs. One is a 5520 running 8.2 and the other is a 5510 running 7.2. The 5520 (1) has the inside segment of 10.0.0.0/8 and the 5510 (2) has 10.0.0.0/24. (2) can be played around with as nothing is live on that end. (1) is a live environment with one more L2L to another client and active data flowing.

I have read and re-read the following, but am more mixed up than when I began:
http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/
http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html
http://popravak.wordpress.com/2011/11/13/cisco-asa-overlapping-networks/
http://www.mikespicer.net/wp/cisco/cisco-vpn-multiple-or-overlapping-l2l-tunnels-using-nat/
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
http://netscenarios.wordpress.com/2011/04/29/configuring-ipsec-vpns-with-overlapping-addresses-in-cisco-asa/

Can someone please help me with the configurations on either ends? One of my concerns is that I do not want to cause a traffic mess for the flat network at the (1) site. Also, I only have a handful of computers on either side that need to talk to each other, the whole segment doesn't necessarily need to be on that config.

Thank you.
0
Comment
Question by:netcmh
  • 3
3 Comments
 
LVL 21

Author Comment

by:netcmh
ID: 40290218
I've worked on the config and need another set of eyes to verify. Please help.

HO

ext IP: 12.XX.XX.XX
int IP: 10.0.1.1/8

access-list L2L-Branch extended permit ip 1.1.1.0 255.0.0.0 2.2.2.0 255.0.0.0
access-list L2L-Branch-NAT extended permit ip 10.0.0.0 255.0.0.0 2.2.2.0 255.0.0.0
static (inside,outside) 1.1.1.0 access-list L2L-Branch-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_Map 20 match address L2L-Branch
crypto map IPSec_Map 20 set peer 65.XX.XX.XX 
crypto map IPSec_Map 20 set transform-set ESP-AES-256-SHA
crypto map IPSec_Map interface outside

crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption aes-256
crypto isakmp policy 20 hash sha
crypto isakmp policy 20 group 5
crypto isakmp policy 20 lifetime 86400
crypto isakmp enable Outside

tunnel-group 65.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey


Branch

ext IP: 65.XX.XX.XX
int IP: 10.0.0.1/24

access-list L2L-HO extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list L2L-HO-NAT extended permit ip 10.0.0.0 255.255.255.0 1.1.1.0 255.255.255.0
static (inside,outside) 2.2.2.0 access-list L2L-HO-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_map 10 match address L2L-HO
crypto map IPSec_map 10 set peer 12.XX.XX.XX
crypto map IPSec_map 10 set transform-set ESP-AES-256-SHA
crypto map IPSec_map interface outside

crypto isakmp policy 10 !authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 12.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey

Test

Ping from HO Computer to Branch Computer
HO_USER> ping 2.2.2.X

Ping from Branch Computer to HO Computer
BO_USER> ping 1.1.1.X

Open in new window

0
 
LVL 21

Author Comment

by:netcmh
ID: 40290435
Anyone?
0
 
LVL 21

Accepted Solution

by:
netcmh earned 0 total points
ID: 40291078
I figured it out. Here's the working code to help others:

HO

ext IP: 12.XX.XX.XX
int IP: 10.0.1.1/8

access-list L2L-Branch extended permit ip 172.16.240.0 255.255.240.0 172.16.224.0 255.255.240.0
access-list L2L-Branch-NAT extended permit ip 10.0.0.0 255.255.240.0 172.16.224.0 255.255.240.0
static (inside,outside) 172.16.240.0 access-list L2L-Branch-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_Map 20 match address L2L-Branch
crypto map IPSec_Map 20 set peer 65.XX.XX.XX 
crypto map IPSec_Map 20 set transform-set ESP-AES-256-SHA
crypto map IPSec_Map interface outside

crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption aes-256
crypto isakmp policy 20 hash sha
crypto isakmp policy 20 group 5
crypto isakmp policy 20 lifetime 86400
crypto isakmp enable Outside

tunnel-group 65.XX.XX.XX type ipsec-l2l
tunnel-group 65.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey


Branch

ext IP: 65.XX.XX.XX
int IP: 10.0.0.1/24

access-list L2L-HO extended permit ip 172.16.224.0 255.255.240.0 172.16.240.0 255.255.240.0
access-list L2L-HO-NAT extended permit ip 10.0.0.0 255.255.240.0 172.16.240.0 255.255.240.0
static (inside,outside) 172.16.224.0 access-list L2L-HO-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_map 10 match address L2L-HO
crypto map IPSec_map 10 set peer 12.XX.XX.XX
crypto map IPSec_map 10 set transform-set ESP-AES-256-SHA
crypto map IPSec_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 12.XX.XX.XX type ipsec-l2l
tunnel-group 12.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey

Open in new window


Test

HO_User:\>ping 172.16.224.191

Pinging 172.16.224.191 with 32 bytes of data:
Request timed out.
Reply from 172.16.224.191: bytes=32 time=28ms TTL=128
Reply from 172.16.224.191: bytes=32 time=27ms TTL=128
Reply from 172.16.224.191: bytes=32 time=27ms TTL=128

Ping statistics for 172.16.224.191:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 28ms, Average = 27ms
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question