asa 8.3 vpn static nat not working (overlapping networks)

Unanswered Question
Jul 26th, 2010
User Badges:

Hello,


I'm stuck with this problem:


2 ASA 5520 8.3 connected via VPN. The inside networks have the same subnet, therefore I had to nat both side.


the inside network is 192.168.2.x/24


the site n. 1 has been natted with subnet 172.16.254.0/24

the site n. 2 has been natted with subnet 172.16.253.0/24


I did some static nat from site 2 to site 1. This means that I can reach a server in site 2 (192.168.2.13) with ip 172.16.253.13.


This works, I can reach the server via ip address and I can ping it but I cannot reach the server via ssh for example.


(of course ssh is enabled on the server and I can reach it locally. There are not limitation on reaching the server via ssh).


There are no limitation on access rules.


This is the sh run nat from site2:


ASA-SITE2# sh run nat
nat (inside,outside-wind) source static 192.168.2.20 172.16.253.20 destination static VPN_L2L_SITE1 VPN_L2L_SITE1
nat (inside,outside-wind) source static nexus 172.16.253.253 destination static VPN_L2L_SITE1 VPN_L2L_SITE1
nat (inside,outside-wind) source static 192.168.2.13 172.16.253.13 destination static VPN_L2L_SITE1 VPN_L2L_SITE1
nat (inside,outside-wind) source dynamic any 172.16.253.1 destination static VPN_L2L_SITE1 VPN_L2L_SITE1
nat (inside,outside-wind) source dynamic any interface



these are the ACL:


ASA-SITE2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside-wind_1_cryptomap; 1 elements; name hash: 0x2bedd12d
access-list outside-wind_1_cryptomap line 1 extended permit ip 172.16.253.0 255.255.255.0 172.16.254.0 255.255.255.0 (hitcnt=1) 0x5362f721
access-list outside-wind_access_in; 1 elements; name hash: 0x3c725494
access-list outside-wind_access_in line 1 extended permit ip any any (hitcnt=0) 0x1c6f6602
access-list outside-wind_access_out; 2 elements; name hash: 0xdbc0f90e
access-list outside-wind_access_out line 1 extended permit ip 172.16.253.0 255.255.255.0 any (hitcnt=0) 0x6028d9cf
access-list outside-wind_access_out line 2 extended permit ip any any (hitcnt=3) 0x48e32d81
access-list inside_access_in; 1 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip 192.168.2.0 255.255.255.0 object VPN_L2L_SITE1 0x7d1028b5
  access-list inside_access_in line 1 extended permit ip 192.168.2.0 255.255.255.0 172.16.254.0 255.255.255.0 (hitcnt=3) 0x7d1028b5


Any idea?


Is this a problem of 8.3 ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion