VPN

Unanswered Question
Apr 26th, 2010
User Badges:

Hi,


VPN users have started to complain that they cannot access any of there servers through RDP when they are connected with VPN from there office. When they are in the house they can connect to VPN and do everything they need to.

My Internal network is Class A address, when the users connect from there office they are also use a Class A address.  Does anybody know how to resolve this? I am asuming that this will have something to do with the Class A address at both sides.

Thanks

Tahir

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 04/26/2010 - 13:06
User Badges:
  • Green, 3000 points or more

Yes, you cannot have overlapping addresses communication through an IPsec VPN connection.

If you're using a Class A segment which overlaps with the office Class A segment, there are two options:


1. Configure NAT to translate the addresses and be able to communicate through the tunnel.

2. Change the addressing scheme on one site.


If you don't want to change the addressing scheme, the recommended solution is the first one.

Let us know if you need assistance with it.


Federico.

tahirs001 Mon, 04/26/2010 - 15:41
User Badges:

Hi Fredrico,


Sorry but option 2 is out of the question. It will have to be option 1.


Can you give me assistance with this please?


Thanks


Tahir

Federico Coto F... Mon, 04/26/2010 - 15:47
User Badges:
  • Green, 3000 points or more

Tahir,


The VPN users that connect from the office connect via a Site-to-Site tunnel or via VPN software?
Either option the idea is to hide the local network with a different addressing scheme, so that the users
can access the LAN with no overlapping problems.


Please let me know and we'll help you out.


Federico.

tahirs001 Mon, 04/26/2010 - 15:57
User Badges:

Hi Fedrico,


(Apologies I spelt your name wrong in the last post)


The user is using Cisco VPN client software to connect to the site.


I am still learning about ASA, NAT and access-list....any books you recommend?


Thanks


Tahir

Federico Coto F... Mon, 04/26/2010 - 16:05
User Badges:
  • Green, 3000 points or more

Hi Tahir,


I don't have any books handy (I'll let you know when I get home), but you can find very useful information here:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/config.html


Let's assume this scenario:


Local LAN behind the ASA:  10.1.1.0/24 (which is the same range for the users on the office)

VPN pool of addresses: 192.168.1.0/24

NAT range: 172.16.1.0/24


access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 172.16.1.0 access-list NAT_VPN


The above configuration is going to do the following:

Let the VPN users ''see'' the local LAN behind the ASA as 172.16.1.0/24 instead than its real range 10.1.1.0/24


Additionally, you need to make sure that there's no NAT0 for this traffic.


Hope to help.


Federico.

tahirs001 Mon, 04/26/2010 - 16:08
User Badges:

Hi Fedrico,


Ok thanks for this, I will try this out tomorrow morning.


I will let you know how i get.


Once again thanks for your help.


Tahir

tahirs001 Tue, 04/27/2010 - 01:16
User Badges:

Hi,


If the below config is applied, will the user be able to RDP to the server, as the server address is 10.20.30.105 will this not conflict?


Local LAN behind the ASA:  10.1.1.0/24 (which is the same range for the users on the office)

VPN pool of addresses: 192.168.1.0/24

NAT range: 172.16.1.0/24


access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 172.16.1.0 access-list NAT_VPN


The above configuration is going to do the following:

Let the VPN users ''see'' the local LAN behind the ASA as 172.16.1.0/24 instead than its real range 10.1.1.0/24


Thanks


Tahir

Actions

This Discussion