Solved: VPN Client with Overlapping Private Networks?

wcotis60 · ‎06-07-2012

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.

I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.

Can this work if their are no duplication of IP addresses?

Jennifer Halim · ‎06-15-2012

Your NONAT ACL overlaps with the static policy NAT and NONAT takes precedence over static policy NAT, that's why it's not working.

Please kindly remove the following:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

View solution in original post

Jennifer Halim · ‎06-07-2012

You can configure static policy NAT for that customer.

Eg:

VPN Client pool is 192.168.1.0/24

Local LAN is 10.10.10.0/24 which overlaps with customer's network

What you would need to configure is to statically NAT your local LAN to a unique subnet (say 10.20.20.0/24) when traffic is destined towards the VPN Client pool.

access-list nat-for-vpnclient permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient

Split tunnel needs to include 10.20.20.0/24 network, and if you have NAT exemption configured for the VPN Client, then pls remove it.

The above sample config is assuming you are running version 8.2 or lower. If you are running 8.3 or higher, let us know and we can help with the exact command.

wcotis60 · ‎06-08-2012

My ASA is running 8.2(1), so no problems there.

The customer needs to send to my server with IP 192.168.1.76, so the above NAT will make this 10.10.10.76, right?

Jennifer Halim · ‎06-08-2012

No, on the above example, 192.168.1.x is the vpn client pool.

Base on the above example, your customer needs to send to your server 10.10.10.76, and the NAT will make it 10.20.20.76. And what your customer needs to access should be 10.20.20.76.

wcotis60 · ‎06-08-2012

Maybe best for me to be more specific.

My private LAN is 192.168.1.0/24

VPN Client Pool 1 is 192.168.250.1-192.168.250.20

VPN Client Pool 2 is 192.168.250.101-192.168.250.110

Customers private LAN is 192.168.1.0/24

The customer needs to transmit to my 192.168.1.76, a DICOM server, they are sending digital X-rays (CR).

=======

Also, I did enter the "static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient" using the ASDM command line tool, and received the following response:

WARNING: real-address conflict with existing static

TCP inside:192.168.1.75/443 to outside:66.100.102.199/443 netmask 255.255.255.255

WARNING: real-address conflict with existing static

TCP inside:192.168.1.75/80 to outside:66.100.102.199/80 netmask 255.255.255.255

WARNING: real-address conflict with existing static

TCP inside:192.168.1.75/8081 to outside:66.100.102.199/8081 netmask 255.255.255.255

WARNING: real-address conflict with existing static

UDP inside:192.168.1.253/16000 to outside:66.100.102.248/16000 netmask 255.255.255.255

Jennifer Halim · ‎06-08-2012

The warning messages is OK, the more specific will take precedence.

The access-list should be as follows:

access-list nat-for-vpnclient permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

Once you have configured the above, "clear xlate", and test connecting the vpn client and access the DICOM server on 10.20.20.76.

Jennifer Halim · ‎06-08-2012

and also, if you have split tunnel configured, pls also add the 10.20.20.0/24 subnet into your split tunnel ACL.

wcotis60 · ‎06-08-2012

This works to the 10.20.20.76 address, but now the VPN Client does not see the 192.168.1.x network.

Jennifer Halim · ‎06-08-2012

Forgot to mention earlier, if you have 192.168.1.0/24 in your split tunnel list, pls remove it. Otherwise, it will send traffic destined towards that subnet through the VPN tunnel.

Pls reconnect to the VPN tunnel after the above changes, and all should work now.

wcotis60 · ‎06-11-2012

1. I have the following "SplitTunnel" commands in my ASA:

access-list DerrRemote_splitTunnelAcl standard permit host 192.168.1.76

access-list VPN3k_SplitTunnel_ACL remark TIC Lan

access-list VPN3k_SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

access-list TMGtoTIC_splitTunnelAcl standard permit host 192.168.1.76

What need to be changed?

2. Can I have both the 192.168.1.0/24 and 10.20.20.0/24 destination networks for the VPN Clients or will they all change to the 10.20.20.0/24?

Jennifer Halim · ‎06-11-2012

1. Which split tunnel ACl is used by the customer who needs to send data to DICOM server? That would be the ACL that you would need to change. Please check which group-policy is used by that client, and it would have the split tunnel reference in that group-policy.

2. For the client who has overlapping networks, you can't have both 192.168.1.0/24 and 10.20.20.0/24. You can't have the same subnet exist locally at the VPN Client LAN network as well as your network since they are Layer 3 hops away. That's the whole reason NAT is configured to allow access to overlap networks. If they need to access anything in your 192.168.1.0/24, just use the respective ip address in 10.20.20.0/24 subnet and they would be able to access the same host. For example: if they need access to 192.168.1.185, just access 10.20.20.185, and it would get access to 192.168.1.185 host.

wcotis60 · ‎06-12-2012

Could I add a separate "group policy" for the 'Overlapping' sites to use and leave the other ones in place?

If this can be done, can the new group not be allowed split tunnel access?

Jennifer Halim · ‎06-12-2012

You can configure a separate group-policy, and leave the other one in place. You would need to assign this group policy to the respective tunnel-group.

Well, you can't reallly disable split tunnel since there is overlapping networks, otherwise, they won't be able to access their own subnet if you disable split tunnel.

wcotis60 · ‎06-12-2012

I created a new 'Remote Access Tunnel', a new 'Client Pool' (192.168.240.0/24), new User, and on the Client side use a new profile.

I then tested the initial setting and was able to login with the new stuff, and everything worked as expected.

Then I added and ACE in Standard ACL for 10.30.30.0/24 and can login, but can't ping anthing, not 192.168.1.x or 10.30.30.x.

Jennifer Halim · ‎06-12-2012

Can you please share the config that you have just added, especially the ACL and where you applied the ACL. Thx.