Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1597
Views
0
Helpful
10
Replies

ASA 8.2 with overlapping VPN subnets

martens72
Level 1
Level 1

‎10-12-2013 07:53 PM - edited ‎03-11-2019 07:51 PM

Hello,

We have servers in the datacenter to monitor several customer ASA devices over VPN tunnel. The issue is some customers overlap with each other. For example, 192.168.1.0/24 may be used as remote subnet for 2-3 customers. The monitored devices are running ASA 8.2 code.

In ASA 8.3+ code, I would create manual nat to change the source IP of the remote device when connecting to our monitoring server. In 8.2 however, I have tried to static Policy nat the inside interface with the following config (192.168.1.254 is the inside interface IP):

<ACL>

access-list monitoring remark ----- Access list for NAT to monitoring devices -----

access-list monitoring extended permit ip host 192.168.1.254 10.20.10.0 255.255.255.0

<Static Nat>

static (inside,outside) 172.16.33.254 access-list monitoring

<Crypto Map>

access-list tunnel extended permit ip host 172.16.33.254 object-group MonitoringServers

Am I barking up the wrong tree? Is it possible to NAT the IP of the inside interface in such a manner, or will I need to bypass the tunnel monitoring and use the external IP?

Thanks in advance for your help.

Michael Martens

Labels:
0 Helpful
10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-13-2013 12:08 AM

Hello Michael,

If the VPN goes from the Data center to each of the Spokes,

Why dont you do a policy nat on the spoke routers when communicating to the Data center (let's say change their IP to the subnet range 10.20.20.0/24 for one spoke 10.20.40.0/24 to another and keep going).

Then on the Data center site change the No_Nat config and Crypto ACL to reflect that new address space.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

martens72
Level 1
Level 1
In response to Julio Carvajal

‎10-14-2013 08:04 AM

I have applied the following on the spoke ASA (8.2):

access-list monitoring extended permit ip 192.168.1.0 255.255.255.0 10.20.10.0 255.255.255.0

nat (inside) 5 access-list monitoring tcp 0 0 udp 0

global (outside) 5 172.16.33.1-172.16.33.254 netmask 255.255.255.0

access-list tunnel extended permit ip 172.16.33.0 255.255.255.0 object-group MonitoringServers

The Hub ASA (8.4) is setup to encrypt traffic to the 172.16.33.0/24 subnet for this tunnel. When I ping from the spoke, using the inside interface to host 10.20.10.80, it fails, and gives no indication that the inside interface IP of 192.168.1.254 is being nat'd into 172.16.33.x

Again, am I expecting too much from the 8.2 spoke, or just missing something in the config? Specifically, I am trying to monitor the inside interface IP (192.168.1.254) using host 10.20.10.80 from the Hub side. I am trying to nat the inside interface to use 172.16.33.254 when communicating to any server in 10.20.10.x subnet.

Michael Martens

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to martens72

‎10-14-2013 08:10 AM

Hello Michael,

Did you change the No-Nat config on the HUB site to be pointing now to the 172.16.33.0/24?

On the spoke side run

packet-tracer input inside icmp 192.168.1.10 8 0 192.168.1.10

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

martens72
Level 1
Level 1
In response to Julio Carvajal

‎10-14-2013 09:48 AM

I found I had a missing manual nat statement in the Hub ASA. I can  now ping from the remote subnet to the monitoring server; however I need  the monitoring server to access the ASA inside interface for snmp polling. I am  replacing the dynamic policy nat with a static policy nat to change the  inside interface from 192.168.1.254 to 172.16.33.254 when accessed from the monitoring server, or vice versa. Is it possible to  nat the IP of the inside interface to a new outside global? It doesn't  seem to be working as expected.

Micahel Martens

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to martens72

‎10-14-2013 09:52 AM

Hello MIchael,

Do U have the management access inside command?

Do a static translation with ACL's instead than a policy-nat on the Spoke site

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

martens72
Level 1
Level 1
In response to Julio Carvajal

‎10-14-2013 10:37 AM

"management-access inside" is set. Assuming the inside interface IP is 192.168.1.254, I have the following config:

access-list monitoring extended permit ip host 192.168.1.254 10.20.10.0 255.255.255.0

static (inside,outside) 172.16.33.254 access-list monitoring

The crypto acl permits the traffic for encryption; and was working with the dynamic policy nat.

ASA# sh xlate | incl 172.16.33

Global 172.16.33.254 Local 192.168.1.254

NAT from inside:192.168.1.254 to outside(monitoring):172.16.33.254 flags s

match ip inside host 192.168.1.254 outside 10.20.10.0 255.255.255.0

    static translation to 172.16.33.254

    translate_hits = 0, untranslate_hits = 960

0 Helpful

martens72
Level 1
Level 1
In response to martens72

‎10-14-2013 02:33 PM

I'm thinking this is next to impossible....I can't find any reference to NAT'ing the actual IP of the interface online.

Packet tracer using the 172.16.33.254 IP is good in both directions to the monitoring server - the issue just seems to be that the interface itself can't be NAT'd into another IP address. The only option I would have is to monitor the ASA directly over the public IP,  which I would much rather do over the encrypted tunnel.

Any ideas?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to martens72

‎10-14-2013 08:16 PM

Hello Michael,

I just got confused from all of the information provided .

Can you build a topology and we can start from scratch. I do think this is possible.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Anand Solgama
Level 1
Level 1
In response to Julio Carvajal

‎10-15-2013 05:30 AM

Hi,

I did

like this bro    ...... ASA 8.02

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 1.0.0.0 255.0.0.0

global (outside) 1 200.200.200.200

nat (inside) 1 access-list INSIDE

and on outside router ICMP debig output here

*Oct 15 17:55:10.851: ICMP: echo reply sent, src 1.1.1.1, dst 200.200.200.200

R1#

*Oct 15 17:55:11.883: ICMP: echo reply sent, src 1.1.1.1, dst 200.200.200.200

R1#

*Oct 15 17:55:12.923: ICMP: echo reply sent, src 1.1.1.1, dst 200.200.200.200

R1#

*Oct 15 17:55:13.939: ICMP: echo reply sent, src 1.1.1.1, dst 200.200.200.200

R1#

*Oct 15 17:55:16.067: ICMP: echo reply sent, src 200.200.200.2, dst 192.168.1.2

R1#

*Oct 15 17:55:17.083: ICMP: echo reply sent, src 200.200.200.2, dst 192.168.1.2

R1#

*Oct 15 17:55:18.119: ICMP: echo reply sent, src 200.200.200.2, dst 192.168.1.2

R1#

*Oct 15 17:55:19.147: ICMP: echo reply sent, src 200.200.200.2, dst 192.168.1.2

R1#

*Oct 15 17:55:20.163: ICMP: echo reply sent, src 200.200.200.2, dst 192.168.1.2

SEE WHEN PING TO 1.1.1.1 IT CHANGE ADDRESS AS PER MY  ACL "INSIDE" AND WHEN GO TO 200.200.200.2 IT WILL NOT MATCH ACL SO NO NAT FOR THAT 

BYE,

0 Helpful

vishaw jasrotia
Level 1
Level 1

‎10-14-2013 03:31 AM

Hey Michael ,

I am fully aware of the topology that you are using , but as per what I understand from your toplology you can use static route on the host basis.

Thanks

Vishaw

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card