Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Overlapping IP between remote acces VPN and inside interface

Hi all,

I had tried to replace an ASA and configured remote access vpn using cisco VPN client.

The remote access users are not able to access the inside network but have no problems accessing the network across a site to site VPN.

One thing to note is that the remote access VPN users are assigned an ip address of 10.X.3.1-10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0 .

Remote access users will have no problems accessing the inside network if the vpn client pool is changed to 192.168.1.1 to 192.168.1.100.

Errors from ASA

6              Jan 07 2012         16:25:08               302013  10.X.3.1                27724    10.X.1.66              3389       Built inbound TCP connection 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) to inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)

6              Jan 07 2012         16:25:08               106015  10.X.1.66              3389       10.X.3.1                27724    Deny TCP (no connection) from 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on interface dmz

I understand that overlapping ip range between remote access vpn network and inside interface network will cause routing issues but why is the syn-ack appearing in the DMZ interface? The DMZ interface is on ip address 172.16.Y.1 255.255.255.0.

I do plan to reduce the inside interface to 10.X.0.0 255.255.254.0 if it is indeed a routing issue due to the overlapping IP address but would like to understand why the syn-ack is coming from the dmz interface and the diagnosis of the problem is correct. I did check with customer and was informed that the existing design works on another ASA with no such problems.

1 ACCEPTED SOLUTION

Accepted Solutions

Overlapping IP between remote acces VPN and inside interface

I agree whatever you said and tried also but this does not work.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

Solution you already know

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

Thanks

Ajay

7 REPLIES

Overlapping IP between remote acces VPN and inside interface

I agree whatever you said and tried also but this does not work.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

Solution you already know

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

Thanks

Ajay

New Member

Re: Overlapping IP between remote acces VPN and inside interface

Hi Ajay,

Thanks for the reply

I am accessing the servers in the internal network by IP Address. I am still curious why the syn-ack is appearing on the dmz interface.

Overlapping IP between remote acces VPN and inside interface

Run a packet tracer and see what result are coming.

New Member

Re: Overlapping IP between remote acces VPN and inside interface

Another question.

To allow a remote access VPN user to access the network across a L2L VPN, besides doing a

"same-security-traffic permit intra-interface" and nat exemption (e.g

nat (outside,outside) source static vpn_nat vpn_nat destination static vpn_nat vpn_nat), do we need to add on the crypto maps for the L2L VPN (e.g. include the crypto maps which use the Remote Access IP pool as the source IP)?

I have decided to use another non-overlapping IP range for the remote acces VPN user.

Thanks.

Re: Overlapping IP between remote acces VPN and inside interface

Those commands are required for hairpinning traffic comes on outside interface and return back over outside for L2L.

See if this help to clarify -https://supportforums.cisco.com/docs/DOC-22428

Thanks

Ajay

New Member

Overlapping IP between remote acces VPN and inside interface

Hi Ajay,

Thanks again

Regards,

Victor

Re: Overlapping IP between remote acces VPN and inside interface

YW Victor- let me know if any more questions here

1277
Views
0
Helpful
7
Replies
CreatePlease to create content