Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi,

I have VPN tunnel between Site A and Site B which are both on the same lan.

Site A has a inside lan of 192.168.0.0/24 and a DMZ of 10.0.0.0/24

Site B has a inside lan of 192.168.0.0/24

I have the vpn setup to communcaite with the Site A DMZ and Site B Inside.

Both tunnels are up but I'm unable to ping the other sight and vice versa. Also from the DMZ when I ping the 192.168.0.0/24 range the ping timesout, I guess this is becuase the ping is sent to the inside line of site A. Also the DMZ is of a secuity level of 50 and the inside lan of site A of securtiy level 0.

Is there any way of making this work?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

John,

That could be a solution.

If they NAT their network to their Outside IP address this will work, but a little bit different from a regular tunnel.

If they NAT their entiner 192.168.0.0/24 network to the Outside IP of the Juniper box, then the will be get established and they will be able to send traffic and access your network with no problem. However you won't be able to send (initiate) traffic to their side, because their internal network is hidden behind the Outside IP address. That kind if translation is called PAT.

If you need full two-way comunication across the tunnel you need to ask them to translate their network in a one-to-one translation basis, so that they can access you and you can access them.

The other solution is to translate their network in your ASA. You can do the following:

static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0

With those lines in place, the tunnel configuration will remain the same, no changes are required there. But when you need to access their network you should point traffic to the 192.168.200.0/24 address, not the original 192.168.0.0/24.

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10.

Why don't you give this a shot and let me know the results?

23 REPLIES
New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hello John,

This is a known issue with overlapping networks.

Even though you are trying to comunicate between 10.0.0.0/24 (Side A) and 192.168.0.0/24 (Site B) and those are different networks, Site A also has a 192.168.0.0/24 network and that will cause routing issues. The Site A will treat all traffic to 192.168.0.0/24 as local traffic, even though you want it to send that traffic across the tunnel.

The way to fix this problem is to create a translation for the 192.168.0.0/24 coming from Site B.

Before going any further. Do you manage both sites? Do you have access to Site A and Site B VPN devices?

Are both devices ASA's? What are the versions those devices are running?

We need to have this information at least, so that I can give you the right directions.

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Thanks Daniel,

I only manage the site A, but I can contact the other party to make changes.

Site A has a 5510 and the other site is using Juniper.

I think, not sure but Site A is using 8.2.

Would you say that I should ask SIte B to Nat to their outside interface? Therefore my destination would be their outside IP address?

Thanks

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

John,

That could be a solution.

If they NAT their network to their Outside IP address this will work, but a little bit different from a regular tunnel.

If they NAT their entiner 192.168.0.0/24 network to the Outside IP of the Juniper box, then the will be get established and they will be able to send traffic and access your network with no problem. However you won't be able to send (initiate) traffic to their side, because their internal network is hidden behind the Outside IP address. That kind if translation is called PAT.

If you need full two-way comunication across the tunnel you need to ask them to translate their network in a one-to-one translation basis, so that they can access you and you can access them.

The other solution is to translate their network in your ASA. You can do the following:

static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0

With those lines in place, the tunnel configuration will remain the same, no changes are required there. But when you need to access their network you should point traffic to the 192.168.200.0/24 address, not the original 192.168.0.0/24.

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10.

Why don't you give this a shot and let me know the results?

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Thanks Daniel,

I'll give this a go and let you by Sunday evening UK time.

Thanks

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi,

I'm not able to use the static nat as I have devices which communicate on the inside 192.168.0.0/24 to the 10.0.0.0/24 range in Site A.

Any suggestions please?

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi John,

Daniel has suggested to NAT your subnet to 192.168.200.0 subnet when you try to get the traffic to go through the tunnel.

For the 192.168.0.0/24 subnet, why dont you give a long matched reverse route towards the inside zone and I believe this should solve your problem.

Please let me know if there are any challenges in implementing this.

Cheers

Arun.

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi Arun,

How would I implement the long matched reverse route?

Thanks.

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hi John,

Lets say in DMZ zone you already have a specific route pointing to 192.168.200.0/24, i.e. the locally significant subnet for NAT.

Now you just need to give a route in DMZ pointing towards Inside zone saying that whatever replies are to be sent to 192.168.0.0/16 series, just forward it to the Inside zone, whereas the 200.0/24 subnet will take care of the tunnel traffic.

If I am right:

route Inside 192.168.0.0 255.255.0.0 {next hop in the Inside subnet}.

I believe you already have the routing from Inside to DMZ zone, so the above line of command should do the job.

Cheers

Arun.

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

From my understanding would I need the route cmd in there as when I do a show route the inside is directly connected therefore it would forward the traffic straight out?

Can someones please explain to me what this commands does, static (outside,DMZ) 192.168.200.0 192.168.0.0 netmask 255.255.255.0 ?

Thanks

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Looking at the static commands I guess the outside ip is 0.0 and the inside is 200.0? Its the other way round.

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

John,

The NAT command specified above by you actually says:

1. Direction of NAT is from Outside to DMZ\

2. The subnet of 192.168.0.0 is natted to 192.168.200.0(you might be getting confused here, thinking why this is the other way around. Well that is the way ASA command has been formulated .) So basically, NAT zones and the subnets mirror each other.

Hope that helps.

Cheers

Arun.

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

I thought the Nat was from dmz to outside translating the up from 200.0 to 0.0?

Also where would static cmd be excuted between what event of the packet being sent and being received?

Thank you.

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

John,

If you see, the nat direction, although from outside to dmz, works both ways, since it is a static nat. Traffic originating from remote end will get natted to 200.0(192.168.0.10 gets natted to 192.168.200.10) and traffic from dmz to remote end will get natted to 192.168.0.0 too.

This is what Daniel meant when he quoted: "

So, in the case where you need to access their 192.168.0.10 host from your DMZ, you will need to actually try to access 192.168.200.10."

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Thank you very much.

I wanted to know at which stage would the cmd be excuted, is it at the last stage when traffic is sent and the first when it returns?

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

John,

The command will get executed as soon as any traffic with a src or 192.168.0.0/24 hits the outside interface, or with a destination of 192.168.200.* hits the Outside interface from the DMZ. Only when any traffic matches the destination or src of the nat statement is encountered will the NAT start its work..

HTH

Cheers

Arun

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Hi Arun,

If this is the case then this will not work for me, because on my inside I have a 192.168.0.0/24 range which connects to the internet but is natted to PAT. Therefore I cannot have traffic which is generated from the inside being natted to a 200.0 address when it hits the outisde. Traffic from my inside should be natted with PAT. Only traffic from DMZ should apply this nat rule and any traffic which comes from the outside i.e. VPN should then be directed via the Nat rule to the DMZ?

Sorry, but does this make sence?

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Hi,

You just follow the below url and I think it will resolved the issue.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Get the other party to NAT on their end. See if they an do that :)

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

John,

It will work because your 192.168.0.0 from Inside zone is patted, I believe to Outside interface. Traffic from DMZ will only get natted if it hits 192.168.200.0 on the Outside interface(not on Inside interface). So you do not have to worry about the traffic being affected as it comes out from the Inside interface.

The concept basically is this:

If the flow of traffic in ASA or for any router for that matter is from Inside zone to Outside zone, traffic gets routed first and then NAtted, since the appliance has to first identify through which interface it has got to pass, as NAT commands are interface specific. But when traffic comes from the outside, it gets first Natted and then routed.

When 192.168.0.0 comes to the Outside zone from the Inside zone(due to the connected route on ASA), the traffic gets a PAT the Outside interface and it is able to access  the Internet.

When traffic from DMZ gets routed to 192.168.200.0( as routing happens first before getting NAtted), NAT will happen for only that traffic which is having its destination as 192.168.200.0( and as traffic from inside interface matches the longer route of 0.0.0.0 0.0.0.0, it wont come under this static nat statement's jurisdiction, and hence, will not be affected).

HTH

Cheers

Arun

New Member

Re: Site to Site VPN on same LAN address subnet - Cannot communi

Thank you very much.

It is much more clearer.

I also have VPN users which VPN to the ASA and access the inside and DMZ will this static cmd affect them?

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

John,

No it wont affect them.

Cheers

Arun

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hello John,

I'm sorry I didn’t get to his over the weekend.

What Arun has told you is correct. The translation I suggested will not affect the communication that is currently happening between your DMZ and Inside interfaces.

It won't affect either the traffic from the Inside to the Internet. This is only for the Site-to-Site tunnel to work with the overlapping situation you have.

The VPN users won't be affected as long as they are not coming as part of the 192.168.0.0/24 network.

Finally, you don't need to add any route statements for the communication between your internal 10.0.0.0/24 and 192.168.0.0/24 networks. Since those are directly connected to the DMZ and Inside interface respectively the ASA will handle the Routing without the need for the route command.

After adding the static command that I suggested, if you need to access the Inside network from your DMZ you can do that with no problem, just as you have been doing it so far. And if you need to access the remote network across the tunnel, just keep in mind you will need to point the connection to a 192.168.200.0/24 address. And there is no need for you to modify the interesting traffic definition (crypto map acl) from the way it is defined right now.

If you have any other doubts just let me know.

New Member

Site to Site VPN on same LAN address subnet - Cannot communicate

Hello John,

I'm sorry I didn’t get to his over the weekend.

What  Arun has told you is correct. The translation I suggested will not  affect the communication that is currently happening between your DMZ  and Inside interfaces.

It  won't affect either the traffic from the Inside to the Internet. This  is only for the Site-to-Site tunnel to work with the overlapping  situation you have.

The VPN users won't be affected as long as they are not coming as part of the 192.168.0.0/24 network.

Finally,  you don't need to add any route statements for the communication  between your internal 10.0.0.0/24 and 192.168.0.0/24 networks. Since  those are directly connected to the DMZ and Inside interface  respectively the ASA will handle the Routing without the need for the  route command.

After  adding the static command that I suggested, if you need to access the  Inside network from your DMZ you can do that with no problem, just as  you have been doing it so far. And if you need to access the remote  network across the tunnel, just keep in mind you will need to point the  connection to a 192.168.200.0/24 address. And there is no need for you  to modify the interesting traffic definition (crypto map acl) from the  way it is defined right now.

If you have any other doubts just let me know.

1296
Views
0
Helpful
23
Replies
CreatePlease to create content