Site-to-site VPN - Duplicate subnet?

Unanswered Question
Dec 4th, 2009

OK, here is my setup:

     ASA 5505 - 192.168.3.1

     PIX 501  - 192.168.1.1

     PIX 501  - 192.168.1.2

The ASA and the first pix device (192.168.1.1) are connected via site-to-site VPN on the ASA side and the connection works great. I can access hosts in either direction from either network.

I'm attempting to add the second pix device to the ASA's site-to-site configuration, but it's not working. I suspect it's because the devices are on the same subnet, but I'm hoing to find a workaround.

When I have both PIX devices setup for site-to-site on the ASA, the VPN works only for the connection that has the highest priority. The device with the lower priority can only ping the 192.168.3.1 network, but full network connections fail.

Is it possible to do this without changing the subnet on the second PIX?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
busterswt Fri, 12/04/2009 - 16:38

You should be able to implement Policy NAT on the 2nd Pix 501 to accomplish what it is you're trying to do.

Policy NAT Access List:

access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Static NAT:

static (inside,outside) 172.16.1.0 access-list policy-nat-acl

*Make sure the above static statement is above any other 1 to 1 statics statements, you may have to remove and add them back to make this happen*

Modify your encryption domain on the Pix:

access-list 200 extended permit ip 172.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Modify the encryption domain on the ASA:

access-list 200 extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0

There will be a one-to-one mapping for clients behind this Pix 501. If Server A behind the Pix @ 192.168.1.2 generates traffic to 192.168.3.2 behind the ASA, it will appear to that client as 172.16.1.2. Clients behind the ASA will need to use the 172.16.1.x addresses to contact clients behind that Pix 501. If you're hairpinning the VPNs on the ASA you'll use 172.16.1.0/24 in all of the no-nat ACL's and encryption domains to represent that new Pix.

Hope this helps!

James

Ashley Sahonta Mon, 01/21/2013 - 12:42

Hi,

I have tried doing this on the ASA v8.4, however it doesn't seem to work. Are you able to help me translate this scenario to the new way of NAT'ing?

Ash

busterswt Mon, 01/21/2013 - 13:27

Hi Ashley,

Using the networks from the previous example, this 8.3+ configuration should work for you:

object-group network LOCAL_NETWORK

network-object 192.168.1.0 255.255.255.0

object-group network REMOTE_NETWORK

network-object 192.168.3.0 255.255.255.0

object-group network NAT_NETWORK

network-object 172.16.1.0 255.255.255.0

static (inside,outside) source static LOCAL_NETWORK NAT_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK

In the example above, there are actually two NAT's occurring - a source NAT and a destination NAT. We are simply performing an identity NAT on the destination (REMOTE_NETWORK), since that doesn't need to change.

8.3+ offers more flexibility with NAT, to the point where you could even perform source/destination NAT in the same statement within a hub-and-spoke VPN configuration.

Hope that helps. Let me know if you have any other questions.

James

Andrew Phirsov Tue, 01/22/2013 - 02:14

You mean the same segment on a public site? On interfaces facing ASA?

If you have separate tunnel groups for each pix on the ASA properly configured, i don't think it matters wether they (pixes) on one subned or different.

busterswt Tue, 01/22/2013 - 05:23

Hi Ashley,

In the example I posted, your encryption domain would need to look like this on the local 8.4 firewall performing Policy NAT:

access-list LOCAL_ENC_DOM extended permit ip object-group NAT_NETWORK object-group REMOTE_NETWORK

or written out:

access-list LOCAL_ ENC_DOMAIN extended permit ip 172.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0

The *remote* side would use the NAT'd network in its encryption domain as well:

access-list REMOTE_ENC_DOMAIN extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0

If you post your configs I'd be happy to take a look.

James

Ashley Sahonta Wed, 01/23/2013 - 12:10

Configs attached. From what I can see in your example above, I have done the ACLs wrong

busterswt Wed, 01/23/2013 - 12:12

Hi Ashley - I'm unable to see the attached configs. You're welcome to copy/paste as well.

James

Ashley Sahonta Wed, 01/23/2013 - 12:16

Site1:

Site1

ASA Version 8.4(2)

!

hostname site1-fw1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network INTERNAL

subnet 192.168.1.0 255.255.255.0

object network VPN-NAT

subnet 192.168.101.0 255.255.255.0

object network REMOTE-SITE

subnet 192.168.102.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

access-list STATIC-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE

!

object network INTERNAL

nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac

crypto map VPNMAP 1 match address CRYPTO_ACL

crypto map VPNMAP 1 set pfs group5

crypto map VPNMAP 1 set peer x.x.x.x

crypto map VPNMAP 1 set ikev1 transform-set ESP_AES

crypto map VPNMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

Ashley Sahonta Wed, 01/23/2013 - 12:16

Site2

ASA Version 8.4(2)

!

hostname site2-fw1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network INTERNAL

subnet 192.168.1.0 255.255.255.0

object network VPN-NAT

subnet 192.168.102.0 255.255.255.0

object network REMOTE-SITE

subnet 192.168.101.0 255.255.255.0

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

access-list OUTSIDE_IN extended permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE

!

object network INTERNAL

nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac

crypto map VPNMAP 1 match address CRYPTO_ACL

crypto map VPNMAP 1 set pfs group5

crypto map VPNMAP 1 set peer 81.137.191.105

crypto map VPNMAP 1 set ikev1 transform-set ESP_AES

crypto map VPNMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

busterswt Wed, 01/23/2013 - 12:26

Hi Ashley -

Your nat config looks OK at a quick glance. I incorrectly used the 'static' keyword in my example, but you corrected it by using 'nat' instead.

The problem you're likely experiencing is that your encryption domains are now wrong. The nat will happen prior to the crypto match, so you'll want to edit the following ACLs:

FW1/FW2:

-before-

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

-after-

access-list CRYPTO_ACL extended permit ip object VPN-NAT object REMOTE-SITE

Give that a shot and let me know if you continue to have problems.

James

busterswt Wed, 01/23/2013 - 12:27

BTW - Your attachments *did* show up, but against an earlier post, so I didn't see them! Thanks for the copy/paste.

Ashley Sahonta Wed, 01/23/2013 - 12:28

Yep tried that and still not getting the tunnels up.

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static INTERNAL VPN-NAT   destination static REMOTE-SITE REMOTE-SITE

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic INTERNAL interface

    translate_hits = 0, untranslate_hits = 0

NAT output and ISAKMP status below:

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.x.x

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

busterswt Wed, 01/23/2013 - 12:42

How are you attempting to bring the tunnels up? By pinging something in the 192.168.102.0 or 192.168.101.0 networks, respectively, from an internal machine (not the firewall or packet-tracer)?

Your PSK matches, too, right? Anything from the crypto debugs on both sides?

James

Ashley Sahonta Wed, 01/23/2013 - 12:41

Ignore the previous response. GNS3 decided to be a pain. It works - thank you very much

Actions

This Discussion