cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3028
Views
0
Helpful
2
Replies

LAN-to-LAN IPsec VPN with Overlapping Networks problem

I'm trying to connect two operlapping networks via IPsec. I've already Googled and read

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Details:

Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.

Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.

According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:

static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound

which results in:

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255

Those are port redirects on Site_A used for mail, webmail, etc. What should I do to keep this redirects from the Internet to companyname vlan and in the same time have working l2l ipsec tunnel connecting overlapping networks?

Thank you in advance for any help or hint.

Snippet of ASA's config below:

!

ASA Version 8.0(4)32

!

no names

name 10.25.0.0 siteB-fake-network description Fake NAT network to avoid ip overlapping

name 10.26.0.0 siteA-fake-network description Fake NAT network to avoid ip overlapping

!

interface Ethernet0/0

shutdown

nameif inside

security-level 100

ip address 10.200.32.254 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.10

vlan 10

nameif companyname

security-level 100

ip address 10.100.0.254 255.255.255.0

!

interface Ethernet0/2.20

vlan 20

nameif wifi

security-level 100

ip address 10.0.0.1 255.255.255.240

!

interface Ethernet0/2.30

vlan 30

nameif dmz

security-level 50

ip address 10.0.30.1 255.255.255.248

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.100.100.1 255.255.255.0

management-only

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Inside-Network

network-object 10.100.0.0 255.255.255.0

network-object 10.100.1.0 255.255.255.0

network-object 10.100.2.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

object-group service DM_INLINE_TCP_5 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_1

service-object tcp eq domain

service-object udp eq domain

object-group service DM_INLINE_TCP_6 tcp

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

object-group network DM_INLINE_NETWORK_1

network-object 10.100.0.0 255.255.255.0

network-object 10.100.2.0 255.255.255.0

access-list securevpn_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host x.x.x.178 eq 50000

access-list outside_access_in extended permit tcp any host x.x.x.178 eq smtp

access-list outside_access_in extended permit tcp any host x.x.x.178 eq https

access-list outside_access_in extended permit tcp any host x.x.x.179 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp

access-list outside_access_in extended permit tcp any host x.x.x.181 eq ftp-data

access-list outside_access_in extended permit tcp host 205.158.110.63 host x.x.x.180 eq ssh inactive

access-list inside_access_in extended permit ip 10.100.0.0 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_access_in extended permit ip object-group Inside-Network 10.100.99.0 255.255.255.0

access-list inside_access_in extended permit ip object-group Inside-Network 10.0.30.0 255.255.255.248

access-list inside_access_in extended permit tcp host 10.100.0.6 any eq smtp

access-list inside_access_in extended permit tcp object-group Inside-Network any eq www

access-list inside_access_in extended permit tcp object-group Inside-Network any eq https

access-list inside_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp-data

access-list inside_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp

access-list inside_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 9999

access-list inside_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 3389

access-list inside_access_in extended permit udp object-group Inside-Network any eq domain

access-list companyname_access_in extended permit ip object-group Inside-Network 10.100.1.0 255.255.255.0

access-list companyname_access_in extended permit ip object-group Inside-Network 10.100.99.0 255.255.255.0

access-list companyname_access_in extended permit ip object-group Inside-Network 10.0.30.0 255.255.255.248

access-list companyname_access_in extended permit tcp host 10.100.0.6 any eq smtp

access-list companyname_access_in extended permit tcp object-group Inside-Network any eq www

access-list companyname_access_in extended permit tcp object-group Inside-Network any eq https

access-list companyname_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp-data

access-list companyname_access_in extended permit tcp object-group Inside-Network gt 1023 any eq ftp

access-list companyname_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 9999

access-list companyname_access_in extended permit object-group TCPUDP object-group Inside-Network any eq 3389

access-list companyname_access_in extended permit udp object-group Inside-Network any eq domain

access-list wifi_access_in extended permit tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001

access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.100.99.0 255.255.255.0

access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.0.0.0 255.255.255.240

access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.0.30.0 255.255.255.248

access-list companyname_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 10.100.2.0 255.255.255.0

access-list companyname_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.0.30.0 255.255.255.248

access-list companyname_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.100.99.0 255.255.255.0

access-list companyname_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.100.99.0 255.255.255.0

access-list wifi_nat0_outbound extended permit ip 10.0.0.0 255.255.255.240 10.100.0.0 255.255.255.0

access-list dmz_access_in extended permit tcp 10.0.30.0 255.255.255.248 any object-group DM_INLINE_TCP_5

access-list dmz_access_in extended permit tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1

access-list dmz_access_in extended deny ip 10.0.30.0 255.255.255.248 any

access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.0.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.99.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 10.0.30.0 255.255.255.248 10.100.2.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.26.0.0 255.255.252.0 10.25.0.0 255.255.255.0

access-list fake_nat_outbound extended permit ip 10.100.0.0 255.255.252.0 10.25.0.0 255.255.255.0

ip local pool clientVPNpool 10.100.99.101-10.100.99.199 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name IPS attack action alarm drop reset

ip audit name IPS-inf info action alarm

ip audit interface outside IPS-inf

ip audit interface outside IPS

nat-control

global (inside) 91 10.100.0.2

global (inside) 92 10.100.0.4

global (inside) 90 10.100.0.3 netmask 255.255.255.0

global (outside) 10 interface

global (outside) 91 x.x.x.179

global (outside) 92 x.x.x.181

global (outside) 90 x.x.x.180 netmask 255.0.0.0

global (companyname) 10 interface

global (dmz) 20 interface

nat (outside) 10 10.100.99.0 255.255.255.0

nat (companyname) 0 access-list companyname_nat0_outbound

nat (companyname) 10 10.100.0.0 255.255.255.0

nat (companyname) 10 10.100.1.0 255.255.255.0

nat (companyname) 10 10.100.2.0 255.255.255.0

nat (wifi) 0 access-list wifi_nat0_outbound

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 10 10.0.30.0 255.255.255.248

static (companyname,outside) tcp interface https 10.100.0.6 https netmask 255.255.255.255

static (companyname,outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255

static (companyname,outside) tcp interface 50000 10.100.0.128 3389 netmask 255.255.255.255

static (companyname,outside) tcp x.x.x.181 2001 10.100.0.26 3389 netmask 255.255.255.255

static (companyname,outside) tcp x.x.x.181 2002 10.100.0.27 3389 netmask 255.255.255.255

static (companyname,outside) tcp interface 2003 10.100.0.28 3389 netmask 255.255.255.255

static (dmz,outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255

static (companyname,companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0

static (companyname,companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group companyname_access_in in interface companyname

access-group wifi_access_in in interface wifi

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

route companyname 10.0.1.0 255.255.255.0 10.100.0.1 1

route companyname 10.100.1.0 255.255.255.0 10.100.0.1 1

route companyname 10.100.2.0 255.255.255.0 10.100.0.1 1

dynamic-access-policy-record DfltAccessPolicy

!

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_MD5

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer a.b.c.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

!

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.100.0.3

dns-server value 10.100.0.3

default-domain value companyname.com

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 10.100.0.3

vpn-tunnel-protocol l2tp-ipsec

group-policy securevpn internal

group-policy securevpn attributes

wins-server value 10.100.0.3 10.100.0.2

dns-server value 10.100.0.3 10.100.0.2

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec

default-domain value companyname.com

tunnel-group DefaultRAGroup general-attributes

address-pool clientVPNpool

authentication-server-group COMPANYNAME_AD

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group securevpn type remote-access

tunnel-group securevpn general-attributes

address-pool clientVPNpool

authentication-server-group COMPANYNAME_AD

default-group-policy securevpn

tunnel-group securevpn ipsec-attributes

pre-shared-key *

tunnel-group securevpn ppp-attributes

authentication ms-chap-v2

tunnel-group a.b.c.1 type ipsec-l2l

tunnel-group a.b.c.1 ipsec-attributes

pre-shared-key *

1 Accepted Solution

Accepted Solutions

Mr_Helpful
Level 1
Level 1

Are you sure that static-config does not make it to the running config ?

By applying that 'big static' you are essentially trying to forward ports that already have been forwarded by the rules in your existing config. That is what the warning says: what you are trying to do has some overlap with existing statics.

(Sorry for using the word forwarding, but this problem makes more  sense if you look at it that way; even though 'port forwarding' is not  Cisco-terminology.)

But... everytime I came accross this issue, the warning was just that: a WARNING, not an ERROR. And all just works like I want it to work: the specific statics in my existing config simply take precedence over the big static.

If you would try to do it the other way round you would get an error (first the big static, and then try to apply more specific ones) and the config is not applied.

So could you confirm the config really is not accepted ?

View solution in original post

2 Replies 2

Mr_Helpful
Level 1
Level 1

Are you sure that static-config does not make it to the running config ?

By applying that 'big static' you are essentially trying to forward ports that already have been forwarded by the rules in your existing config. That is what the warning says: what you are trying to do has some overlap with existing statics.

(Sorry for using the word forwarding, but this problem makes more  sense if you look at it that way; even though 'port forwarding' is not  Cisco-terminology.)

But... everytime I came accross this issue, the warning was just that: a WARNING, not an ERROR. And all just works like I want it to work: the specific statics in my existing config simply take precedence over the big static.

If you would try to do it the other way round you would get an error (first the big static, and then try to apply more specific ones) and the config is not applied.

So could you confirm the config really is not accepted ?

You're absolutely right. It's not pretty (I don't like warnings on production environments), but tests shows that it works. Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: