Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

No internet access with subnet overlap IPSec VPN tunnel

Hi,

Because same subnet are being in use between two sites local network. we have configured NAT overlap on IPSec VPN tunnel using ASA 7.0 and its working fine.

But now on site where overlap NAT has been configured, users can not access internet.if we down the vpn tunnel then global PAT works fine.

Please guide me ASAP!!

Thanks

Vikas

8 REPLIES
Hall of Fame Super Blue

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi Vikas

From the description you give it sounds like you need to do policy NAT ie. NAT the source ip addresses differently whether they are going down the VPN tunnel or whether they are going to the internet.

Could you give some addressing and config to clarify what you are trying to achieve.

Jon

Community Member

Re: No internet access with subnet overlap IPSec VPN tunnel

Thanks Jon for the reply

here is the config, We want user from local site will access internet and and same time VPN tunnel will also works.

name 172.26.1.0 LOCAL_LAN

name 10.97.0.0 DNA-LAN

name 194.193.109.212 DNA-FW

object-group network PARKROYAL-NAT

description NATed subnet from 172.16.1.0 to 192.168.100.0 on IPSec Tunnel

network-object 192.168.100.0 255.255.255.0

object-group network DNA-LAN

description Inside LAN of the DNA subnet

network-object 10.97.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 1 LOCAL_LAN 255.255.255.0

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list CRYPTO-DNA-VPN extended permit ip object-group PARKROYAL-NAT object-group DNA-LAN

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.55 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.56 eq 3389

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.57 eq 3389

access-list acl-outside extended permit tcp any host 193.167.190.54 eq www

access-list acl-outside extended permit tcp any host 193.167.190.55 eq www

access-list acl-outside extended permit tcp any host 193.167.190.56 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq www

access-list acl-outside extended permit tcp any host 193.167.190.57 eq https

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 1935

access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 3389

static (inside,outside) 193.167.190.55 172.16.1.4 netmask 255.255.255.255

static (inside,outside) 193.167.190.56 172.16.1.5 netmask 255.255.255.255

static (inside,outside) 193.167.190.57 172.16.1.6 netmask 255.255.255.255

static (inside,outside) 193.167.190.54 172.16.1.3 netmask 255.255.255.255

access-group acl-outside in interface outside

crypto ipsec transform-set DESMD5 esp-des esp-md5-hmac

crypto map DNAVPN 50 match address CRYPTO-DNA-VPN

crypto map DNAVPN 50 set peer DNA-FW

crypto map DNAVPN 50 set transform-set DESMD5

Hall of Fame Super Blue

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

This should NAT your 172.16.1.x clients to 192.168.100.x when going down the VPN tunnel, but if going out to the internet the PAT on the outside interface should be used.

HTH

Jon

Community Member

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi Jon,

Thanks for reply.

Sorry i missed one line of the NAT rule.

static (inside,outside) 10.97.0.0 192.168.100.0 netmask 255.255.255.0

which nated inside subnet to 192.168.100.0 for the vpn tunnel

we already configured the PAT for the internet access.

nat (inside) 1 LOCAL_LAN 255.255.255.0

global (outside) 1 interface

Hall of Fame Super Blue

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi

I;m a bit confused. What is the internal network

172.16.x.x

or

10.97.0.0

either way you can still use what i sent previously ie.

access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN

access-list nonat extended permit ip 10.97.0.0 object-group DNA_LAN

nat (inside) 2 access-list nonat

global (outside) 2 192.168.100.0 255.255.255.0

You would need to remove the static statment.

Note that the number for the NAT and global statement is 2 because you have already used 1 for the PAT.

Jon

Community Member

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi Jon,

I solved problem with your solution.

Extremely thankful.

Cisco Employee

Re: No internet access with subnet overlap IPSec VPN tunnel

Vikas,

The below URL should answer discusses Policy NAT, which should resolve your issue.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042553

Regards,

Arul

Community Member

Re: No internet access with subnet overlap IPSec VPN tunnel

Hi Arul,

Good document!! clear my all problems.

Thanks

Vikas

334
Views
10
Helpful
8
Replies
CreatePlease to create content