Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Overlapping Networks through a VPN Tunnel

After days of troubleshooting my NAT issue I now have an overlapping network problem.  When I ping from my source network (PIX DMZ) to my destination network (ASA 5505 Easy VPN) the ICMP response is never returned.  I can telnet to ports on the remote end, Example (telnet 192.168.168.1 443); however ping from 192.168.1.1 to 192.168.168.1 does not.  The remote network is using an Easy VPN setup but the Cisco ASA device is behind a nat’ed DSL modem.  Look below to see if it makes sense.

PIX DMZ  192.168.1.1   -->  ##Remote Site##   --> Verizon DSL Modem  Inside 192.168.1.1 -->  Cisco ASA 5505 Outside   192.168.1.2  --> Cisco ASA 5505  Inside  192.168.168.1

As you can see the ICMP ping will make it to the inside interface of the 5505 but will never make it back because of the nat’ed DSL modem that is sitting in front of the 5505.  Hopefully this make sense....

17 REPLIES
Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

wht dont you translate one of the 192.168.1.1 ip's to something else

you can translate the 192.168.1.1 ip on pix dmz to sometihng different using policy based static nat so that it is translated to something different only when it needs to get through vpn

New Member

Re: Overlapping Networks through a VPN Tunnel

Can you give me an example?  Would I create the static and bind it from the inside to the outside?

static (inside,outside) 192.168.1.0 255.255.255.0  ?

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

i am not sure how your network is setup but yeah i can give a example

so you cant do much on your dmz pix for 192.168.1.1 ip

you need to translate it to something else on the next hop if at all it is capable of natting

you can change the source ip

---pixdmz 192.168.1.1-------------------router-----------

so translate 192.168.1.1 ->192.168.100.1 for eg

or

if you are already patting on the pix and this 192.168.1.1 is th epatted ip of network behind the pix then use policy nat

access-list remote extended permit ip

nat(inside) 1 access-list remote

global(dmz)1 192.168.100.1

this is take care of natting for the interested traffic

nat(inside) 2 0.0.0.0 0.0.0.0

global(dmz) 2 interface

this will take care of natting for rest of traffic

New Member

Re: Overlapping Networks through a VPN Tunnel

Here is my current NAT configuration:

# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list nonat-dmz

nat (DMZ) 1 0.0.0.0 0.0.0.0

#sh run | i global
global (outside) 1 interface

Would I use the following:

access-list nonat line 10 extended permit ip 192.168.1.0 255.255.255.0 10.80.1.0 255.255.255.0

nat(inside) 2 access-list remote

global(dmz)1 10.80.1.1

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

where is the 192.168.1.1 ipon which interface ,also what is 192.168.1.1 ip

New Member

Re: Overlapping Networks through a VPN Tunnel

The 192.168.1.0/24 subnet is the DMZ interface on the PIX.

interface Ethernet2.80
vlan 50
nameif DMZ
security-level 80
ip address 192.168.1.1 255.255.255.0

New Member

Re: Overlapping Networks through a VPN Tunnel

Can you give an example?

Thanks.

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

do you want the users behind the ASA to access resources via the vpn u r trying to configure

New Member

Re: Overlapping Networks through a VPN Tunnel

Everyone on the inside network of the PIX along with the DMZ segment should have the ability to reach the remote network.

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

try what i wrote in my previous post

access-list remote extended permit ip

nat(inside) 1 access-list remote

global(dmz)1 192.168.100.1

this is take care of natting for the interested traffic

nat(inside) 2 0.0.0.0 0.0.0.0

global(dmz) 2 interface

this will let your internal users access the remote end as we will be patting the source ip to 192.168.100.1

New Member

Re: Overlapping Networks through a VPN Tunnel

I must say I am confused on this topic.  This is a snippet of what I'm currently using which is not working.

access-list nonat extended permit ip 192.168.168.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0


nat (DMZ) 0 access-list nonat-dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0

# sh run | i globa
global (outside) 1 interface
global (DMZ) 1 192.168.100.1

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

i understand its getting very confusing, lets start over... we know what the prob is

can you give the internal network on pix side and asa side

also please paste the nat and crypto config on both ends

New Member

Re: Overlapping Networks through a VPN Tunnel

####### PIX Interfaces ########

Inside and DMZ interfaces on the PIX:

sh int ip bri
Ethernet1.100              10.45.45.2      YES CONFIG up                    up
Ethernet2.50               192.168.1.1     YES CONFIG up                    up

####### NAT Interfaces on PIX ########

access-list nonat extended permit ip 192.168.168.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list nonat-dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0

# sh run | i globa
global (outside) 1 interface
global (DMZ) 1 192.168.100.1

####### Tunnel Group / Group Policy Interfaces on PIX ########

tunnel-group ASA-test general-attributes
address-pool S2S
default-group-policy ASA-S2S
tunnel-group ASA-test ipsec-attributes
pre-shared-key

group-policy ASA-S2S internal
group-policy ASA-S2S attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ASA-S2S
nem enable

access-list ASA-S2S extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8

object-group network DM_INLINE_NETWORK_7
network-object 192.168.1.0 255.255.255.0
network-object 10.37.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object 10.22.250.0 255.255.255.0
network-object 192.168.168.0 255.255.255.0

####### Remote Easy VPN Client on ASA5505 ########

vpnclient server
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup ASA-test password
vpnclient username test password
vpnclient enable

####### IP Info on ASA5505 ########
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      192.168.168.1   YES CONFIG up                    up
Vlan2                      192.168.1.30    YES CONFIG up                    up
     

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

hmmm thts gonna be tricky now...

i dont think this would work bcoz all encrpted packets would have source ip as 192.168.1.1, i think you need to change ip's or atleast do some variable subnetting so that we put them in different networks

New Member

Re: Overlapping Networks through a VPN Tunnel

I will change the remote IP and gateway to fix the issue.  I will report back on my findings.

thx

New Member

Re: Overlapping Networks through a VPN Tunnel

After changing the remote ASA 5505's outside interface I was able to ping through the tunnel.  It would be nice to know how to setup the NAT / PAT for future overlapping issues.  At least I was able to pin point the issue with this thread.  Thanks!

PIX DMZ  192.168.1.1

PIX Outside  66.x.x.x

-

-

-

Remote Verizon ADSL Modem

Outside 72.100.x.x

Inside 10.100.1.1

-

-

-

10.100.1.10

Cisco ASA 5505 Outside "Easy VPN"

-

-

-

192.168.168.1

Cisco ASA 5505  Inside

Cisco Employee

Re: Overlapping Networks through a VPN Tunnel

w

1590
Views
0
Helpful
17
Replies