VPN

tahirs001 · ‎04-26-2010

Hi,

VPN users have started to complain that they cannot access any of there servers through RDP when they are connected with VPN from there office. When they are in the house they can connect to VPN and do everything they need to.

My Internal network is Class A address, when the users connect from there office they are also use a Class A address. Does anybody know how to resolve this? I am asuming that this will have something to do with the Class A address at both sides.

Thanks

Tahir

Federico Coto Fajardo · ‎04-26-2010

Yes, you cannot have overlapping addresses communication through an IPsec VPN connection.

If you're using a Class A segment which overlaps with the office Class A segment, there are two options:

1. Configure NAT to translate the addresses and be able to communicate through the tunnel.

2. Change the addressing scheme on one site.

If you don't want to change the addressing scheme, the recommended solution is the first one.

Let us know if you need assistance with it.

Federico.

tahirs001 · ‎04-26-2010

Hi Fredrico,

Sorry but option 2 is out of the question. It will have to be option 1.

Can you give me assistance with this please?

Thanks

Tahir

Federico Coto Fajardo · ‎04-26-2010

Tahir,

The VPN users that connect from the office connect via a Site-to-Site tunnel or via VPN software?
Either option the idea is to hide the local network with a different addressing scheme, so that the users
can access the LAN with no overlapping problems.

Please let me know and we'll help you out.

Federico.

tahirs001 · ‎04-26-2010

Hi Fedrico,

(Apologies I spelt your name wrong in the last post)

The user is using Cisco VPN client software to connect to the site.

I am still learning about ASA, NAT and access-list....any books you recommend?

Thanks

Tahir

Federico Coto Fajardo · ‎04-26-2010

Hi Tahir,

I don't have any books handy (I'll let you know when I get home), but you can find very useful information here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/config.html

Let's assume this scenario:

Local LAN behind the ASA: 10.1.1.0/24 (which is the same range for the users on the office)

VPN pool of addresses: 192.168.1.0/24

NAT range: 172.16.1.0/24

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 172.16.1.0 access-list NAT_VPN

The above configuration is going to do the following:

Let the VPN users ''see'' the local LAN behind the ASA as 172.16.1.0/24 instead than its real range 10.1.1.0/24

Additionally, you need to make sure that there's no NAT0 for this traffic.

Hope to help.

Federico.

tahirs001 · ‎04-26-2010

Hi Fedrico,

Ok thanks for this, I will try this out tomorrow morning.

I will let you know how i get.

Once again thanks for your help.

Tahir

tahirs001 · ‎04-27-2010

Hi,

If the below config is applied, will the user be able to RDP to the server, as the server address is 10.20.30.105 will this not conflict?

Local LAN behind the ASA: 10.1.1.0/24 (which is the same range for the users on the office)

VPN pool of addresses: 192.168.1.0/24

NAT range: 172.16.1.0/24

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 172.16.1.0 access-list NAT_VPN

The above configuration is going to do the following:

Let the VPN users ''see'' the local LAN behind the ASA as 172.16.1.0/24 instead than its real range 10.1.1.0/24

Thanks

Tahir