Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
10
Helpful
8
Replies

No internet access with subnet overlap IPSec VPN tunnel

vchauhan12345
Level 1
Level 1

‎10-04-2007 03:38 AM - edited ‎03-11-2019 04:20 AM

Hi,

Because same subnet are being in use between two sites local network. we have configured NAT overlap on IPSec VPN tunnel using ASA 7.0 and its working fine.

But now on site where overlap NAT has been configured, users can not access internet.if we down the vpn tunnel then global PAT works fine.

Please guide me ASAP!!

Thanks

Vikas

Labels:
0 Helpful
8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

‎10-04-2007 03:53 AM

Hi Vikas

From the description you give it sounds like you need to do policy NAT ie. NAT the source ip addresses differently whether they are going down the VPN tunnel or whether they are going to the internet.

Could you give some addressing and config to clarify what you are trying to achieve.

Jon

0 Helpful

vchauhan12345
Level 1
Level 1
In response to Jon Marshall

‎10-04-2007 06:27 AM

Thanks Jon for the reply

here is the config, We want user from local site will access internet and and same time VPN tunnel will also works.

name 172.26.1.0 LOCAL_LAN

name 10.97.0.0 DNA-LAN

name 194.193.109.212 DNA-FW

object-group network PARKROYAL-NAT

description NATed subnet from 172.16.1.0 to 192.168.100.0 on IPSec Tunnel

network-object 192.168.100.0 255.255.255.0

object-group network DNA-LAN

description Inside LAN of the DNA subnet

network-object 10.97.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 1 LOCAL_LAN 255.255.255.0

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list CRYPTO-DNA-VPN extended permit ip object-group PARKROYAL-NAT object-group DNA-LAN

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.55 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.56 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.57 eq 3389

access-list acl-outside extended permit tcp any host 193.167.190.54 eq www

access-list acl-outside extended permit tcp any host 193.167.190.55 eq www

access-list acl-outside extended permit tcp any host 193.167.190.56 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq https

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 1935

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 3389

static (inside,outside) 193.167.190.55 172.16.1.4 netmask 255.255.255.255

static (inside,outside) 193.167.190.56 172.16.1.5 netmask 255.255.255.255

static (inside,outside) 193.167.190.57 172.16.1.6 netmask 255.255.255.255

static (inside,outside) 193.167.190.54 172.16.1.3 netmask 255.255.255.255

access-group acl-outside in interface outside

crypto ipsec transform-set DESMD5 esp-des esp-md5-hmac

crypto map DNAVPN 50 match address CRYPTO-DNA-VPN

crypto map DNAVPN 50 set peer DNA-FW

crypto map DNAVPN 50 set transform-set DESMD5

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to vchauhan12345

‎10-04-2007 09:19 AM

Hi

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

This should NAT your 172.16.1.x clients to 192.168.100.x when going down the VPN tunnel, but if going out to the internet the PAT on the outside interface should be used.

HTH

Jon

0 Helpful

vchauhan12345
Level 1
Level 1
In response to Jon Marshall

‎10-04-2007 09:49 AM

Hi Jon,

Thanks for reply.

Sorry i missed one line of the NAT rule.

static (inside,outside) 10.97.0.0 192.168.100.0 netmask 255.255.255.0

which nated inside subnet to 192.168.100.0 for the vpn tunnel

we already configured the PAT for the internet access.

nat (inside) 1 LOCAL_LAN 255.255.255.0

global (outside) 1 interface

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to vchauhan12345

‎10-04-2007 09:54 AM

Hi

I;m a bit confused. What is the internal network

172.16.x.x

or

10.97.0.0

either way you can still use what i sent previously ie.

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list nonat extended permit ip 10.97.0.0 object-group DNA_LAN

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

You would need to remove the static statment.

Note that the number for the NAT and global statement is 2 because you have already used 1 for the PAT.

Jon

0 Helpful

vchauhan12345
Level 1
Level 1
In response to Jon Marshall

‎10-15-2007 08:53 AM

Hi Jon,

I solved problem with your solution.

Extremely thankful.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎10-04-2007 05:01 AM

Vikas,

The below URL should answer discusses Policy NAT, which should resolve your issue.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042553

Regards,

Arul

vchauhan12345
Level 1
Level 1
In response to ajagadee

‎10-15-2007 08:54 AM

Hi Arul,

Good document!! clear my all problems.

Thanks

Vikas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card