Over-lapping internal ip address - SITE-TO-SITE VPN

Unanswered Question
Jul 8th, 2010

I'm trying to setup a Site-to-site tunnel between a ASA and Checkpoing NGX R62. Their internal host's IP overlaps with our internal IP range.  Unfortunately they're not offering to NAT on their side.  Is it possible on the ASA to setup a NAT so that my internal hosts get nated to the outside ip of the ASA.

172.16.0.0 <---> ASA <-- Internet --> NGX R62 <-- 172.16.0.0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Thu, 07/08/2010 - 15:53

Anuj,

There is no problem not do do nat exemption, which you normally do in case of typical NAT ... you know that nat 0 access-list statments :-)

Remember that NAT is done before encryption - so you will need to change access-list in crypto too.

One thing you did not mention is:

How do I solve routing? Ie. Traffic from your PC of 172.16.1.2 wants to go to 172.16.1.3 on the other side of the tunnel... I believe you will also need to NAT their subnet (even if it's identity NAT)

anuj.johri Thu, 07/08/2010 - 20:34

HI Marcin,

This is what i have... wondering if this correct.


Re: ASA conf

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 2.2.2.2 ( peer ip address)

crypto map outside_map 1 set transform-set ESP-3DES-SHA1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2

tunnel-group 2.2..2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes

access-list  outside_1_cryptomap extended permit ip host 1.1.1.1 (our external ip address) host 172.16.1.3 ( ASA Internal ip address)

!--- NAT ACL

access-list policy-nat permit ip host 172.16.1.3  host 3.3.3.3

!-- Translations

static (outside,inside) 1.1.1.1 172.16.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 3.3.3.3 access-list policy-nat

Pls chk this config and let me know....

Customer doesn't want to do any Natting on their end.

I'm also getting an error message when i do show crypto ipsec sa " There are no ipsec sas"

Pls advise

Marcin Latosiewicz Fri, 07/09/2010 - 03:14

Anuj,

Let me reply like this.

Both sides need to have consitent access-list matching what traffic is interesting for encrypion so I would say the ACL should be:

(assuming you want to PAT all traffic)

permit ip h 1.1.1.1 172.16.0.0 255.255.0.0

ie. we want all traffic from our IP address of 1.1.1.1 to go to 172.16.0.0 255.255.0.0 which is the pool on the other side (also as seen by othe other side).

Regarding NAT it will looks like this.

nat (inside) 101 172.16.0.0 255.255.0.0

global (outside) 101 1.1.1.1 (the IP address of interface/ so you will need most likely "interface" keyword)

Now we need to take care of us being able to communicate to external 172.16.0.0 subnet.

You will need to mask if for internal users sooo you can do something like

static (outside,inside) 10.16.0.0 172.16.0.0 net 255.255.0.0

This way your users will think that they are communicating with 10.16.0.0 subnet.

Now, I have not tested this, theory goes it can work (considering xlate lookup is done before routing) I cannot provide guarentee because as I understand it was never meant to work like that :-)

It's not a very nice configuration AND SHOULD BE AVOIDED and this used instead:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
or use IPv6!

Marcin

anuj.johri Fri, 07/09/2010 - 07:17

Hi Marcin,

Thanks for the quick response... I will use the website to create the tunnel. I had a question with regard to the config on the site.

global (outside) 1 172.19.1.1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The above statements will PAT the internet traffic
!--- except the VPN traffic using the IP address 172.19.1.1 

172.19.1.1 where is this IP coming from? Shouldn't it be 172.16.1.1? This is part of the PIX A config.

Marcin Latosiewicz Fri, 07/09/2010 - 08:33

Anuj,

Please be aware that this config is for both sides doing NAT at the same time - unlike scneario you mention intially, unless the other side changed their opinion?

172.19.1.1 indeed seems fishy, the IP address does not belong anywhere.

Like in case of PIX-B I'm pretty sure it should have been "interface".

Marcin

anuj.johri Fri, 07/09/2010 - 11:12

I will talk to them and see what they say.

On another note... am i getting this error msg b/c tunnel is down "there are no ipsec sas"

Marcin Latosiewicz Fri, 07/09/2010 - 12:44

Anuj,

That's not an error message. It's just an indication that Phase 2 was not established fully.

Marcin

anuj.johri Mon, 07/12/2010 - 14:13

Thanks Marcin

I will give this a try... I'm still waiting for the customer to call me back 

anuj.johri Wed, 07/21/2010 - 08:39

Hey Marcin,

Finally the customer got back to me...

I"m trying to set up the tunnel using the

PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

but I had a quick question

Correct me if i'm wrong but isn't this incorrect access-list

access-list policy-nat extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat

Shouldn't it be

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat

VPN traffic and translates the source (192.168.1.0) to 172.18.1.0 !--- for outbound VPN traffic

Pls advise.

Actions

This Discussion