Overlapping VPN

Unanswered Question
Oct 9th, 2009
User Badges:

Hi,


Having a doubts in Site to site VPN,


I have 3 customer, cust1--- cust2 ---- cust3,


the private ip address is ,

Cust1 ---- 10.2.2.0 (PIX)

Cust2 ---- 10.10.10.0 (Checkpoing Nokia)

Cust3 ---- 10.2.2.0 (ASA)


connectivity is Cust1 ---- Cust2 ---- Cust3

| | |

10.2.2.0 10.10.10.0 10.2.2.0



I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip address range. So, when establishing a VPN tunnel in Cust2 with cust2 to cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0 series range.



HEre is the config what i have done in the pix(Cust1)



static (inside,outside) 10.2.3.0 access-list TICTAC

access-list TICTAC permit ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0


crypto ACL:

access-list crypto permit ip 10.2.3.0 255.255.255.0 10.10.10.0 255.255.255.0


access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat



show run | i global|nat|access-list


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


I am able to ping the cust2 private ip range through VPN, but unable to browse the internet in cust1


Note: Each cust having an individual internet.


Can anyone help me out. is there anything am missing


Regards,

Manoj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
auraza Fri, 10/09/2009 - 05:51
User Badges:
  • Cisco Employee,

I would remove the nonat you have configured on the inside for the traffic that is going through. You want to nat the traffic as specified by your static.


PS. If you found this post helpful, please rate it.

manoj4783 Fri, 10/09/2009 - 19:52
User Badges:

Had Remove the nonat statement, nothing is happening:-(

auraza Sat, 10/10/2009 - 05:24
User Badges:
  • Cisco Employee,

Manoj you need to go step by step then. Figure out what is going on with the packet.


1) What is the packet source, and where is it destined?

2) When it hits the ASA's inside interface, does it hit any ACLs?

3) If no ACLs where does routing say it should go? Outside interface or another interface?

4) Is the packet supposed to be NAT'd? If yes, then are the NAT statements correct?

5) If its supposed to be encrypted after the NAT, are the crypto acl's correct and is crypto applied to the interface that the packet is supposed to be going out of.

6) What do the logs show?



Florin Barhala Thu, 11/05/2009 - 09:29
User Badges:
  • Bronze, 100 points or more

Hello,


Any luch with your scenario; I ve the same problem and no sollution yet.


What I want to know if a packet reaches the router which is gonna be first? The NAT operation or it will get tunneled?


Regards,

Florin.

acomiskey Thu, 11/05/2009 - 09:37
User Badges:
  • Green, 3000 points or more

Nat will happen first. Why don't you post up more info about your problem...

Florin Barhala Thu, 11/05/2009 - 23:27
User Badges:
  • Bronze, 100 points or more

Hi,


I have an ASA firewall tunneling it's behind 192.168.10.0/24 to a Checkpoint NGX. The trouble is that 192.168.10.0 already exists behind Checkpoint as a connected network.

Nevertheless my VPN has to connect 192.168.10.0/24 with 192.168.16.0/24.


So I concluded NAT is needed only on ASA side, right?


The VPN got up immediately, still I don't have connectivity between sites.


I attached the specific config on ASA; please mention show crypto ipsec sa shows only decrypted packages but no encrypted ones!


What have I missed?


Regards,

Florin.



Attachment: 

Actions

This Discussion