Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2230
Views
0
Helpful
7
Replies

Overlapping IP between remote acces VPN and inside interface

Go to solution
Lim Victor
Level 1
Level 1

‎01-09-2012 07:54 PM

Hi all,

I had tried to replace an ASA and configured remote access vpn using cisco VPN client.

The remote access users are not able to access the inside network but have no problems accessing the network across a site to site VPN.

One thing to note is that the remote access VPN users are assigned an ip address of 10.X.3.1-10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0 .

Remote access users will have no problems accessing the inside network if the vpn client pool is changed to 192.168.1.1 to 192.168.1.100.

Errors from ASA

6              Jan 07 2012         16:25:08               302013  10.X.3.1                27724    10.X.1.66              3389       Built inbound TCP connection 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) to inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)

6              Jan 07 2012         16:25:08               106015  10.X.1.66              3389       10.X.3.1                27724    Deny TCP (no connection) from 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on interface dmz

I understand that overlapping ip range between remote access vpn network and inside interface network will cause routing issues but why is the syn-ack appearing in the DMZ interface? The DMZ interface is on ip address 172.16.Y.1 255.255.255.0.

I do plan to reduce the inside interface to 10.X.0.0 255.255.254.0 if it is indeed a routing issue due to the overlapping IP address but would like to understand why the syn-ack is coming from the dmz interface and the diagnosis of the problem is correct. I did check with customer and was informed that the existing design works on another ASA with no such problems.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7

‎01-09-2012 08:53 PM

I agree whatever you said and tried also but this does not work.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

Solution you already know

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

Thanks

Ajay

View solution in original post

0 Helpful
7 Replies 7

Go to solution
ajay chauhan
Level 7
Level 7

‎01-09-2012 08:53 PM

I agree whatever you said and tried also but this does not work.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

Solution you already know

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

Thanks

Ajay

0 Helpful

Go to solution
Lim Victor
Level 1
Level 1
In response to ajay chauhan

‎01-09-2012 08:59 PM

Hi Ajay,

Thanks for the reply

I am accessing the servers in the internal network by IP Address. I am still curious why the syn-ack is appearing on the dmz interface.

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Lim Victor

‎01-09-2012 09:05 PM

Run a packet tracer and see what result are coming.

0 Helpful

Go to solution
Lim Victor
Level 1
Level 1

‎01-31-2012 12:12 AM

Another question.

To allow a remote access VPN user to access the network across a L2L VPN, besides doing a

"same-security-traffic permit intra-interface" and nat exemption (e.g

nat (outside,outside) source static vpn_nat vpn_nat destination static vpn_nat vpn_nat), do we need to add on the crypto maps for the L2L VPN (e.g. include the crypto maps which use the Remote Access IP pool as the source IP)?

I have decided to use another non-overlapping IP range for the remote acces VPN user.

Thanks.

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Lim Victor

‎01-31-2012 12:26 AM

Those commands are required for hairpinning traffic comes on outside interface and return back over outside for L2L.

See if this help to clarify -https://supportforums.cisco.com/docs/DOC-22428

Thanks

Ajay

0 Helpful

Go to solution
Lim Victor
Level 1
Level 1
In response to ajay chauhan

‎01-31-2012 12:33 AM

Hi Ajay,

Thanks again

Regards,

Victor

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Lim Victor

‎01-31-2012 12:40 AM

YW Victor- let me know if any more questions here

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents