Pushing Same Subnet Over VPN

jtmullis82 · ‎11-02-2010

I have a ASA 5520 on my local side and a 5510 on the remote end of my connection. on the backside of these I have MWR 2941's. On each 2941 I have a 172.22.117.0/26 VLAN. How can I push this link over my IPSEC L2L tunnel? What would my access lists look like? I am using cryptomaps and I tried this access list on both ends with no success " access-list outside_1_cryptomap extended permit ip 172.22.117.0/26 any " when i initiated the ping from the 2941 i could see it reaching the ASA on its local connection and the ASA was pushing it to the outside interface but never recieved the request on the other side.

I am trying to push wireless telecom radio over this link and it is imparative that it has the same IP address on the remote end as the local server on the local end. Please help.

Federico Coto Fajardo · ‎11-02-2010

Hi,

If you need to communicate two remote networks that share the same IP addressing scheme over an IPsec tunnel, you must NAT the interesting traffic.

You have 172.22.117.0/24 on both sides. In order to make this work you need something like this:

ASA 5520

access-list NAT permit ip 172.22.117.0 255.255.255.0 10.2.2.0 255.255.255.0

static (inside,outside) 10.1.1.0 access-list NAT

access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

ASA 5510

access-list NAT permit ip 172.22.117.0 255.255.255.0 10.1.1.0 255.255.255.0

static (inside,outside) 10.2.2.0 access-list NAT

access-list VPN permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

The idea is the following:

Site 5520 will translate its local 172.22.117.0 to 10.1.1.0 when going to the remote site.

Site 5510 will translate its local 172.22.117.0 to 10.2.2.0 when going to the central site.

The communication over the tunnel will flow between 10.1.1.0/24 and 10.2.2.2/24

Hope it helps.

Federico.

jtmullis82 · ‎11-02-2010

Federico,

Thank you for this response. I will begin to build this in the translations. For this to work do i need a interface on the routers with the 10.2.2.0 and 10.1.1.0 ? or do i just need to build this ACL in the ASA's?

Federico Coto Fajardo · ‎11-02-2010

There's no need for the router to even know about the 10.1.1.0 or 10.2.2.0 networks.

When the traffic reaches the ASAs, the ASAs will NAT the 172.x.x.x to 10.x.x.x and send the traffic through the tunnel.

The difference is that the routers and computers should use the 10.x.x.x to reach the remote network instead than using it's real IP 172.x.x.x

This is no problem because the receiving ASA will receive the traffic and translate it back to 172.x.x.x to send it to the VLAN.

Federico.

Atul Singh · ‎11-02-2010

You have same subnets on both ends of the vpn. To solve this problem, you can nat one of the subnet to a unique subnet (one to one) and use the NAT'd ip in the crypto acl. Here is one example:

A---------(ASA1)----------(ASA2)-----------A

ASA1:

access-list policy permit ip A B

static (inside,outside) B access-list policy

access-list crypto permit ip B C

ASA2:

access-list policy permit ip A C

static (inside,outside) C access-list policy

access-list crypto permit ip C B

So the nework behind ASA1 will access the network behind ASA2 by its translated ip B and vice versa by translated ip C. Ensure that netmask of A, B and C are consistent and there is no nat-exemption in place for this traffic. this config ensures that the two n/w with same ip can talk to each other over vpn and get internet conncectivity also.

jtmullis82 · ‎11-03-2010

I have printed the show runs for each router and also a visio that shows what i am trying to do. essentially i need to plug the peice of equipment on my far end that has a ip of 172.22.117.27 into the 2941 ( or asa ) vlan of 172.22.117 and have it be able to pass through the VPN and communicate with the WAC on my local side with a IP of 172.22.117.5. i can connect both of these peices of equipment directly into the VLAN on the ASA which is named WiMax if that makes it easier but i dont believe it does.

keep in mind the map i am using is outside_map 3. but i also cannot NAT the ip of 10.10.10.4 from my local side to 10.10.50.2 on the remote side. that IP connection doesnt need to NAT to 172.22.117 it needs to stay the way it is.

Local Side:

YPG-ASA5520-1# show run
: Saved
:
ASA Version 8.2(1)
!
hostname YPG-ASA5520-1
names
name 10.1.25.18 test
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 6.7.0.13 255.255.254.0
!
interface GigabitEthernet0/1
nameif O-M
security-level 0
ip address 10.0.2.166 255.255.255.0
!
interface GigabitEthernet0/2
nameif wimax
security-level 100
ip address 172.22.117.46 255.255.255.192
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list capin extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list capin extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list capout extended permit ip host 6.7.0.13 host 140.32.132.73
access-list capout extended permit ip host 140.32.132.73 host 6.7.0.13
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1522
mtu O-M 1500
mtu inside 1500
mtu management 1500
mtu wimax 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 6.7.0.1 1
route inside 10.1.25.0 255.255.255.0 10.10.10.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.2.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 O-M
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 140.32.167.58
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 140.32.171.2
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 140.32.132.73
crypto map outside_map 3 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 140.32.167.58 type ipsec-l2l
tunnel-group 140.32.167.58 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.171.2 type ipsec-l2l
tunnel-group 140.32.171.2 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.132.73 type ipsec-l2l
tunnel-group 140.32.132.73 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:331847629be9d8a755003cf539ed14dc
: end
YPG-ASA5520-1#

Remote Side:

NPS-ASA5510# show run
: Saved
:
ASA Version 8.2(1)
!
hostname NPS-ASA5510
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 140.32.132.73 255.255.255.224
!
interface Ethernet0/1
nameif wimax
security-level 0
ip address 172.22.117.47 255.255.255.192
!
interface Ethernet0/2
nameif O-M
security-level 0
ip address 192.168.103.2 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list capin extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list capin extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list capout extended permit ip host 6.7.0.13 host 140.32.132.73
access-list capout extended permit ip host 140.32.132.73 host 6.7.0.13
pager lines 24
logging enable
logging buffer-size 1048576
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu O-M 1500
mtu inside 1500
mtu management 1500
mtu wimax 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
static (wimax,outside) 10.2.2.0 access-list outside_1_cryptomap
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 140.32.132.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.103.0 255.255.255.0 O-M
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer 6.7.0.13
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 6.7.0.13 type ipsec-l2l
tunnel-group 6.7.0.13 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1e4f0da64d6faabb51759670ea6a3168
: end
NPS-ASA5510#

jtmullis82 · ‎11-04-2010

i created a GRE tunnel on both of the 2941's and used the source and destination as the 10.10.10 and 10.10.50 addresses that are already passing through the tunnel. this worked but i can only reach the 172.22.117 network from the remote side when i source the ping with another IP address on the router other than the 172.22.117. this will not work because the piece of equipment that needs to have the connectivity is connected via the 172.22.117. anyway i can add a certain route to allow direct ping from the remote side over the GRE tunnel without sourcing it from another VLAN?