ASA L2L with overlap

Hello,

I know this might be an easy one for many, but I keep loosing my place in the flow of the configuration and I need help completing this by COB tomorrow EST.

I have the standard issue of trying to configure a L2L tunnel between these 2 ASAs. One is a 5520 running 8.2 and the other is a 5510 running 7.2. The 5520 (1) has the inside segment of 10.0.0.0/8 and the 5510 (2) has 10.0.0.0/24. (2) can be played around with as nothing is live on that end. (1) is a live environment with one more L2L to another client and active data flowing.

I have read and re-read the following, but am more mixed up than when I began:
http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/
http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html
http://popravak.wordpress.com/2011/11/13/cisco-asa-overlapping-networks/
http://www.mikespicer.net/wp/cisco/cisco-vpn-multiple-or-overlapping-l2l-tunnels-using-nat/
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
http://netscenarios.wordpress.com/2011/04/29/configuring-ipsec-vpns-with-overlapping-addresses-in-cisco-asa/

Can someone please help me with the configurations on either ends? One of my concerns is that I do not want to cause a traffic mess for the flat network at the (1) site. Also, I only have a handful of computers on either side that need to talk to each other, the whole segment doesn't necessarily need to be on that config.

Thank you.
LVL 21
netcmhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

netcmhAuthor Commented:
I've worked on the config and need another set of eyes to verify. Please help.

HO

ext IP: 12.XX.XX.XX
int IP: 10.0.1.1/8

access-list L2L-Branch extended permit ip 1.1.1.0 255.0.0.0 2.2.2.0 255.0.0.0
access-list L2L-Branch-NAT extended permit ip 10.0.0.0 255.0.0.0 2.2.2.0 255.0.0.0
static (inside,outside) 1.1.1.0 access-list L2L-Branch-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_Map 20 match address L2L-Branch
crypto map IPSec_Map 20 set peer 65.XX.XX.XX 
crypto map IPSec_Map 20 set transform-set ESP-AES-256-SHA
crypto map IPSec_Map interface outside

crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption aes-256
crypto isakmp policy 20 hash sha
crypto isakmp policy 20 group 5
crypto isakmp policy 20 lifetime 86400
crypto isakmp enable Outside

tunnel-group 65.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey


Branch

ext IP: 65.XX.XX.XX
int IP: 10.0.0.1/24

access-list L2L-HO extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list L2L-HO-NAT extended permit ip 10.0.0.0 255.255.255.0 1.1.1.0 255.255.255.0
static (inside,outside) 2.2.2.0 access-list L2L-HO-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_map 10 match address L2L-HO
crypto map IPSec_map 10 set peer 12.XX.XX.XX
crypto map IPSec_map 10 set transform-set ESP-AES-256-SHA
crypto map IPSec_map interface outside

crypto isakmp policy 10 !authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 12.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey

Test

Ping from HO Computer to Branch Computer
HO_USER> ping 2.2.2.X

Ping from Branch Computer to HO Computer
BO_USER> ping 1.1.1.X

Open in new window

0
netcmhAuthor Commented:
Anyone?
0
netcmhAuthor Commented:
I figured it out. Here's the working code to help others:

HO

ext IP: 12.XX.XX.XX
int IP: 10.0.1.1/8

access-list L2L-Branch extended permit ip 172.16.240.0 255.255.240.0 172.16.224.0 255.255.240.0
access-list L2L-Branch-NAT extended permit ip 10.0.0.0 255.255.240.0 172.16.224.0 255.255.240.0
static (inside,outside) 172.16.240.0 access-list L2L-Branch-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_Map 20 match address L2L-Branch
crypto map IPSec_Map 20 set peer 65.XX.XX.XX 
crypto map IPSec_Map 20 set transform-set ESP-AES-256-SHA
crypto map IPSec_Map interface outside

crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption aes-256
crypto isakmp policy 20 hash sha
crypto isakmp policy 20 group 5
crypto isakmp policy 20 lifetime 86400
crypto isakmp enable Outside

tunnel-group 65.XX.XX.XX type ipsec-l2l
tunnel-group 65.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey


Branch

ext IP: 65.XX.XX.XX
int IP: 10.0.0.1/24

access-list L2L-HO extended permit ip 172.16.224.0 255.255.240.0 172.16.240.0 255.255.240.0
access-list L2L-HO-NAT extended permit ip 10.0.0.0 255.255.240.0 172.16.240.0 255.255.240.0
static (inside,outside) 172.16.224.0 access-list L2L-HO-NAT

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map IPSec_map 10 match address L2L-HO
crypto map IPSec_map 10 set peer 12.XX.XX.XX
crypto map IPSec_map 10 set transform-set ESP-AES-256-SHA
crypto map IPSec_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 12.XX.XX.XX type ipsec-l2l
tunnel-group 12.XX.XX.XX IPSec-attributes 
 pre-shared-key testkey

Open in new window


Test

HO_User:\>ping 172.16.224.191

Pinging 172.16.224.191 with 32 bytes of data:
Request timed out.
Reply from 172.16.224.191: bytes=32 time=28ms TTL=128
Reply from 172.16.224.191: bytes=32 time=27ms TTL=128
Reply from 172.16.224.191: bytes=32 time=27ms TTL=128

Ping statistics for 172.16.224.191:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 28ms, Average = 27ms
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.