No internet access with subnet overlap IPSec VPN tunnel

Unanswered Question
Oct 4th, 2007

Hi,

Because same subnet are being in use between two sites local network. we have configured NAT overlap on IPSec VPN tunnel using ASA 7.0 and its working fine.

But now on site where overlap NAT has been configured, users can not access internet.if we down the vpn tunnel then global PAT works fine.

Please guide me ASAP!!

Thanks

Vikas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Thu, 10/04/2007 - 03:53

Hi Vikas

From the description you give it sounds like you need to do policy NAT ie. NAT the source ip addresses differently whether they are going down the VPN tunnel or whether they are going to the internet.

Could you give some addressing and config to clarify what you are trying to achieve.

Jon

vchauhan12345 Thu, 10/04/2007 - 06:27

Thanks Jon for the reply

here is the config, We want user from local site will access internet and and same time VPN tunnel will also works.

name 172.26.1.0 LOCAL_LAN

name 10.97.0.0 DNA-LAN

name 194.193.109.212 DNA-FW

object-group network PARKROYAL-NAT

description NATed subnet from 172.16.1.0 to 192.168.100.0 on IPSec Tunnel

network-object 192.168.100.0 255.255.255.0

object-group network DNA-LAN

description Inside LAN of the DNA subnet

network-object 10.97.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 1 LOCAL_LAN 255.255.255.0

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list CRYPTO-DNA-VPN extended permit ip object-group PARKROYAL-NAT object-group DNA-LAN

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.55 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.56 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.57 eq 3389

access-list acl-outside extended permit tcp any host 193.167.190.54 eq www

access-list acl-outside extended permit tcp any host 193.167.190.55 eq www

access-list acl-outside extended permit tcp any host 193.167.190.56 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq https

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 1935

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 3389

static (inside,outside) 193.167.190.55 172.16.1.4 netmask 255.255.255.255

static (inside,outside) 193.167.190.56 172.16.1.5 netmask 255.255.255.255

static (inside,outside) 193.167.190.57 172.16.1.6 netmask 255.255.255.255

static (inside,outside) 193.167.190.54 172.16.1.3 netmask 255.255.255.255

access-group acl-outside in interface outside

crypto ipsec transform-set DESMD5 esp-des esp-md5-hmac

crypto map DNAVPN 50 match address CRYPTO-DNA-VPN

crypto map DNAVPN 50 set peer DNA-FW

crypto map DNAVPN 50 set transform-set DESMD5

Jon Marshall Thu, 10/04/2007 - 09:19

Hi

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

This should NAT your 172.16.1.x clients to 192.168.100.x when going down the VPN tunnel, but if going out to the internet the PAT on the outside interface should be used.

HTH

Jon

vchauhan12345 Thu, 10/04/2007 - 09:49

Hi Jon,

Thanks for reply.

Sorry i missed one line of the NAT rule.

static (inside,outside) 10.97.0.0 192.168.100.0 netmask 255.255.255.0

which nated inside subnet to 192.168.100.0 for the vpn tunnel

we already configured the PAT for the internet access.

nat (inside) 1 LOCAL_LAN 255.255.255.0

global (outside) 1 interface

Jon Marshall Thu, 10/04/2007 - 09:54

Hi

I;m a bit confused. What is the internal network

172.16.x.x

or

10.97.0.0

either way you can still use what i sent previously ie.

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list nonat extended permit ip 10.97.0.0 object-group DNA_LAN

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

You would need to remove the static statment.

Note that the number for the NAT and global statement is 2 because you have already used 1 for the PAT.

Jon

Actions

This Discussion