Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client with Overlapping Private Networks?

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.

I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.

Can this work if their are no duplication of IP addresses?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

VPN Client with Overlapping Private Networks?

Your NONAT ACL overlaps with the static policy NAT and NONAT takes precedence over static policy NAT, that's why it's not working.

Please kindly remove the following:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

25 REPLIES
Cisco Employee

VPN Client with Overlapping Private Networks?

You can configure static policy NAT for that customer.

Eg:

VPN Client pool is 192.168.1.0/24

Local LAN is 10.10.10.0/24 which overlaps with customer's network

What you would need to configure is to statically NAT your local LAN to a unique subnet (say 10.20.20.0/24) when traffic is destined towards the VPN Client pool.

access-list nat-for-vpnclient permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient

Split tunnel needs to include 10.20.20.0/24 network, and if you have NAT exemption configured for the VPN Client, then pls remove it.

The above sample config is assuming you are running version 8.2 or lower. If you are running 8.3 or higher, let us know and we can help with the exact command.

New Member

VPN Client with Overlapping Private Networks?

My ASA is running 8.2(1), so no problems there.

The customer needs to send to my server with IP 192.168.1.76, so the above NAT will make this 10.10.10.76, right?

Cisco Employee

VPN Client with Overlapping Private Networks?

No, on the above example, 192.168.1.x is the vpn client pool.

Base on the above example, your customer needs to send to your server 10.10.10.76, and the NAT will make it 10.20.20.76. And what your customer needs to access should be 10.20.20.76.

New Member

Re: VPN Client with Overlapping Private Networks?

Maybe best for me to be more specific.

My private LAN is 192.168.1.0/24

  VPN Client Pool 1 is 192.168.250.1-192.168.250.20

  VPN Client Pool 2 is 192.168.250.101-192.168.250.110

Customers private LAN is 192.168.1.0/24

The customer needs to transmit to my 192.168.1.76, a DICOM server, they are sending digital X-rays (CR).

=======

Also, I did enter the "static (inside,outside) 10.20.20.0 access-list nat-for-vpnclient" using the ASDM command line tool, and received the following response:

WARNING: real-address conflict with existing static

  TCP inside:192.168.1.75/443 to outside:66.100.102.199/443 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP inside:192.168.1.75/80 to outside:66.100.102.199/80 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP inside:192.168.1.75/8081 to outside:66.100.102.199/8081 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  UDP inside:192.168.1.253/16000 to outside:66.100.102.248/16000 netmask 255.255.255.255

Cisco Employee

Re: VPN Client with Overlapping Private Networks?

The warning messages is OK, the more specific will take precedence.

The access-list should be as follows:

access-list nat-for-vpnclient permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

Once you have configured the above, "clear xlate", and test connecting the vpn client and access the DICOM server on 10.20.20.76.

Cisco Employee

Re: VPN Client with Overlapping Private Networks?

and also, if you have split tunnel configured, pls also add the 10.20.20.0/24 subnet into your split tunnel ACL.

New Member

VPN Client with Overlapping Private Networks?

This works to the 10.20.20.76 address, but now the VPN Client does not see the 192.168.1.x network.

Cisco Employee

VPN Client with Overlapping Private Networks?

Forgot to mention earlier, if you have 192.168.1.0/24 in your split tunnel list, pls remove it. Otherwise, it will send traffic destined towards that subnet through the VPN tunnel.

Pls reconnect to the VPN tunnel after the above changes, and all should work now.

New Member

VPN Client with Overlapping Private Networks?

1. I have the following "SplitTunnel" commands in my ASA:

  access-list DerrRemote_splitTunnelAcl standard permit host 192.168.1.76

  access-list VPN3k_SplitTunnel_ACL remark TIC Lan

  access-list VPN3k_SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

  access-list TMGtoTIC_splitTunnelAcl standard permit host 192.168.1.76

What need to be changed?

2. Can I have both the 192.168.1.0/24 and 10.20.20.0/24 destination networks for the VPN Clients or will they all change to the 10.20.20.0/24?

Cisco Employee

VPN Client with Overlapping Private Networks?

1. Which split tunnel ACl is used by the customer who needs to send data to DICOM server? That would be the ACL that you would need to change. Please check which group-policy is used by that client, and it would have the split tunnel reference in that group-policy.

2. For the client who has overlapping networks, you can't have both 192.168.1.0/24 and 10.20.20.0/24. You can't have the same subnet exist locally at the VPN Client LAN network as well as your network since they are Layer 3 hops away. That's the whole reason NAT is configured to allow access to overlap networks. If they need to access anything in your 192.168.1.0/24, just use the respective ip address in 10.20.20.0/24 subnet and they would be able to access the same host. For example: if they need access to 192.168.1.185, just access 10.20.20.185, and it would get access to 192.168.1.185 host.

New Member

Re: VPN Client with Overlapping Private Networks?

Could I add a separate "group policy" for the 'Overlapping' sites to use and leave the other ones in place?

If this can be done, can the new group not be allowed split tunnel access?

Cisco Employee

Re: VPN Client with Overlapping Private Networks?

You can configure a separate group-policy, and leave the other one in place. You would need to assign this group policy to the respective tunnel-group.

Well, you can't reallly disable split tunnel since there is overlapping networks, otherwise, they won't be able to access their own subnet if you disable split tunnel.

New Member

Re: VPN Client with Overlapping Private Networks?

I created a new 'Remote Access Tunnel', a new 'Client Pool' (192.168.240.0/24), new User, and on the Client side use a new profile.

I then tested the initial setting and was able to login with the new stuff, and everything worked as expected.

Then I added and ACE in Standard ACL for 10.30.30.0/24 and can login, but can't ping anthing, not 192.168.1.x or 10.30.30.x.

Cisco Employee

Re: VPN Client with Overlapping Private Networks?

Can you please share the config that you have just added, especially the ACL and where you applied the ACL. Thx.

New Member

VPN Client with Overlapping Private Networks?

I used ASDM to add the new "Remote Access VPN", here are the new lines:

access-list VPN2nat_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

ip local pool VPN2nat_Pool 192.168.240.1-192.168.240.254 mask 255.255.255.0

group-policy VPN2nat internal

group-policy VPN2nat attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN2nat_splitTunnelAcl

username creek2nat attributes

vpn-group-policy VPN2na

tunnel-group VPN2nat type remote-access

tunnel-group VPN2nat general-attributes

address-pool VPN2nat_Pool

default-group-policy VPN2nat

tunnel-group VPN2nat ipsec-attributes

pre-shared-key *

static (inside,outside) 10.30.30.0  access-list nat2VPN

Cisco Employee

VPN Client with Overlapping Private Networks?

Pls kindly configure the following:

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0

no access-list VPN2nat_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Then reconnect the vpn client again, and it should be able to access the local network as well as the remote network.

New Member

VPN Client with Overlapping Private Networks?

I applied these lines, and the 10.30.30.x address is assigned at the client end.

The client can not ping anything in the 10.30.30.0 or 192.168.1.0 networks.

The line from my previous post "static (inside,outside) 10.30.30.0  access-list nat2VPN" is not present in the ASA.

I tried to create "static (inside,outside) 10.30.30.0  access-list VPN2nat_splitTunnelAcl" but get an overlapping error message.

Seems this is the missing link, how do I get it added in?

Cisco Employee

VPN Client with Overlapping Private Networks?

This needs to be configured:

access-list nat2VPN permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

static (inside,outside) 10.30.30.0  access-list nat2VPN

You can't use "VPN2nat_splitTunnelAcl" access-list because it's standard access-list. It needs to be extended access-list applied to the static NAT statement.

BTW, what do you mean by "the 10.30.30.x address is assigned at the client end?", the ip pool should remain as original (192.168.240.0/24). You are not meant to change the vpn client pool to 10.30.30.x. This is the NATed IP for your internal network.

Quoting from your last post: "I created a new 'Remote Access  Tunnel', a new 'Client Pool' (192.168.240.0/24), new User, and on the  Client side use a new profile."

New Member

VPN Client with Overlapping Private Networks?

I decided to start fresh, restored settings from file to ASA and reloaded. Used the wizard to create and new IPsec Remote Access VPN. I then ran the two command from your last post of 6/14@12:48. The resulting lines in the config are:

tunnel-group VPN2nat type remote-access
tunnel-group VPN2nat general-attributes
 address-pool VPN2nat_Pool
 default-group-policy VPN2nat
tunnel-group VPN2nat ipsec-attributes
 pre-shared-key *

ip local pool VPN2nat_Pool 192.168.240.1-192.168.240.254

group-policy VPN2nat attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN2nat_splitTunnelAcl

username Creek1 password 8rqh8Yz4KElpzAzu encrypted privilege 0
username Creek1 attributes
 vpn-group-policy VPN2nat

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0 

I ran 'clear xlate' and 'clear arp' on the ASA and went to my test PC in different office and logged in using the above settings.

The Cisco VPN Client got and IP address of 192.168.240.1 as expected. The Route Details show "Secured Routes" of 10.30.30.0 255.255.255.0.

Could not ping 10.30.30.76 from this pc, could not ping anything in either 10.30.30.0 or 192.168.1.0 networks.

Cisco Employee

VPN Client with Overlapping Private Networks?

One config missing, do you have the static policy NAT?

access-list nat2VPN permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

static (inside,outside) 10.30.30.0  access-list nat2VPN

Can you please share your static NAT statement as well as the corresponding access-list.

New Member

VPN Client with Overlapping Private Networks?

Here are all of the "access-list" commands in my ASA, the to in your 6/14 8:59 PM post are the last ones in this list:

access-list outside_in extended permit tcp any host 66.0.171.243 eq 1199

access-list outside_in extended permit tcp any host 66.0.171.243 eq www

access-list outside_in extended permit tcp any host 66.0.171.243 eq https

access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 66.0.171.243

access-list outside_in extended permit tcp any host 66.0.102.205 object-group DM_INLINE_TCP_2

access-list outside_in extended permit tcp any host 66.0.102.195 eq ftp

access-list outside_in extended permit tcp any host 66.0.102.195 eq ftp-data

access-list outside_in extended permit tcp any host 66.0.102.195 eq ssh

access-list outside_in extended permit tcp any host 66.0.102.193 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.193 eq pcanywhere-status

access-list outside_in extended permit tcp any eq ftp host 66.0.102.193 eq ftp

access-list outside_in extended permit tcp any eq ftp-data host 66.0.102.193 eq ftp-data

access-list outside_in extended permit tcp any eq ssh host 66.0.102.193 eq ssh

access-list outside_in extended permit tcp any host 66.0.102.194 eq ftp-data

access-list outside_in extended permit tcp any host 66.0.102.194 eq ftp

access-list outside_in extended permit tcp any host 66.0.171.244 eq 104

access-list outside_in extended permit udp any host 66.0.171.244 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.171.244 eq pcanywhere-data

access-list outside_in extended permit tcp any host 66.0.171.245 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.245 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.171.246 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.246 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.102.197 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.197 eq 5631

access-list outside_in extended permit tcp any host 66.0.171.241 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.241 eq pcanywhere-status

access-list outside_in extended permit tcp any eq ftp-data host 66.0.171.241 eq ftp-data

access-list outside_in extended permit tcp any eq ftp host 66.0.171.241 eq ftp

access-list outside_in extended permit tcp any host 66.0.171.242 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.242 eq pcanywhere-status

access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.0.102.196

access-list outside_in extended permit tcp any host 66.0.171.241 eq 104

access-list outside_in extended permit udp any host 66.0.171.241 eq 104

access-list outside_in extended permit tcp any host 66.0.171.241 eq 1199

access-list outside_in extended permit tcp any host 66.0.171.241 eq www

access-list outside_in extended permit tcp any host 66.0.102.198 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.198 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.102.200

access-list outside_in extended permit tcp any host 66.0.102.204 object-group DM_INLINE_TCP_3

access-list outside_in remark Toshiba CT VPN

access-list outside_in extended permit udp host 66.0.102.203 host 66.0.102.203

access-list outside_in extended permit tcp host 66.0.102.203 host 66.0.102.203

access-list outside_in extended permit udp host 66.0.102.202 host 66.0.102.202

access-list outside_in extended permit tcp host 66.0.102.202 host 66.0.102.202

access-list outside_in extended permit ip any host 66.0.102.248

access-list outside_in extended permit tcp any host 66.0.102.199 eq 8081

access-list outside_in extended permit tcp any host 66.0.102.199 eq https

access-list outside_in extended permit tcp any host 66.0.102.205 object-group jabber

access-list outside_in extended permit tcp any host 66.0.102.199 eq www

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 65.7.251.224

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.13.13.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.25.254.128 255.255.255.128

access-list nonat extended permit ip host 192.168.1.76 host 202.51.251.21

access-list nonat extended permit ip host 192.168.1.76 host 128.8.25.104

access-list nonat extended permit ip host 192.168.1.76 host 216.119.191.12

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.128

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.32.48.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.78.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 10.188.132.44

access-list nonat extended permit ip host 192.168.1.76 host 10.2.79.97

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9

access-list nonat extended permit ip host 192.168.1.76 172.16.4.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.213

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.214

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.215

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.216

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.218

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.219

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.220

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.222

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.223

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.224

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.225

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.226

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.227

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.228

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.30

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.37

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.32

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.5

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.38

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.200.122.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.6.10.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 192.168.76.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 192.168.250.0 255.255.255.128

access-list nonat extended permit ip host 192.168.1.76 192.168.168.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.2.79.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.24.48.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_2 134.54.112.0 255.255.240.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_3 134.54.112.0 255.255.240.0

access-list nonat extended permit ip host 192.168.1.76 74.117.34.128 255.255.255.240

access-list nonat extended permit ip host 192.168.1.76 204.16.167.128 255.255.255.240

access-list nonat extended permit ip host 192.168.1.76 192.168.20.0 255.255.255.0

access-list nonat extended permit ip any 10.78.80.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_5 10.200.200.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.23.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.34 192.168.253.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 204.16.165.21

access-list nonat extended permit ip host 192.168.1.76 host 192.168.3.2

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 192.168.50.17

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.92.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.93.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 172.24.7.77

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

access-list cavett extended permit ip 192.168.1.0 255.255.255.0 host 65.7.251.224

access-list vpnclient extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list 102 extended deny tcp any any eq www

access-list outbound extended deny tcp 192.168.1.0 255.255.255.0 any eq 445

access-list outbound extended deny tcp host 192.168.1.10 any eq 445

access-list outbound extended deny tcp host 192.168.1.12 any eq 445

access-list outbound extended permit tcp host 192.168.1.6 any eq ftp

access-list outbound extended permit tcp host 192.168.1.6 any eq ftp-data

access-list outbound extended permit tcp host 192.168.1.6 any eq ssh

access-list outbound extended permit tcp host 192.168.1.13 eq ftp-data any eq ftp-data

access-list outbound extended permit tcp host 192.168.1.13 eq ftp any eq ftp

access-list outbound extended permit tcp host 192.168.1.14 eq ftp-data any

access-list outbound extended permit tcp host 192.168.1.14 eq ftp any

access-list outbound extended deny tcp host 192.168.1.23 any eq 445

access-list outbound extended permit tcp host 192.168.1.40 any eq smtp

access-list outbound extended permit tcp host 192.168.1.22 any eq 445

access-list outbound extended permit tcp object-group RESTRICTED_HOSTS object-group SMALL_WEB

access-list outbound extended permit ip object-group ALLACCESS any

access-list outbound extended permit tcp host 192.168.1.253 any

access-list outbound extended permit ip host 192.168.1.253 any

access-list outbound extended permit ip host 10.56.0.7 host 192.168.25.100

access-list outbound extended permit ip host 10.56.0.7 host 10.1.23.254

access-list NRS-PRIMARY-ACL extended permit ip host 192.168.1.76 host 204.16.165.21

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.213

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.214

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.215

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.216

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.218

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.219

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.220

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.222

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.223

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.224

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.225

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.226

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.227

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.228

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.30

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.37

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.32

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.5

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.38

access-list outside_cryptomap_70 extended permit ip host 192.168.1.76 host 202.51.251.21

access-list outside_cryptomap_90 extended permit ip host 192.168.1.76 host 128.8.25.104

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.250.0 255.255.255.128

access-list outside_210_cryptomap extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list outside_cryptomap_43 extended permit ip 192.168.1.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list outside_19_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.78.0 255.255.255.0

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 object-group DM_INLINE_NETWORK_1

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.102

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.104

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.105

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.106

access-list outside_9_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list outside_cryptomap_150 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_cryptomap_170 extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_7

access-list outside_cryptomap_190 extended permit ip host 192.168.1.76 172.161.4.0 255.255.255.0

access-list outside_230_cryptomap extended permit ip host 192.168.1.76 172.16.4.0 255.255.255.0

access-list outside_18_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.93.0 255.255.255.0

access-list outside_270_cryptomap extended permit ip host 192.168.1.76 host 128.8.25.104

access-list outside_290_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.200.122.0 255.255.255.0

access-list DerrRemote_splitTunnelAcl standard permit host 192.168.1.76

access-list VPN3k_SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

access-list VPN3k_SplitTunnel_ACL remark TIC Lan

access-list outside_350_cryptomap remark Derr

access-list outside_350_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.6.10.0 255.255.255.0

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.100

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.102

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.104

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.105

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.106

access-list TMGtoTIC_splitTunnelAcl standard permit host 192.168.1.76

access-list outside_1_cryptomap extended permit ip host 192.168.1.76 192.168.168.0 255.255.255.0

access-list inside_nat_static extended permit ip host 192.168.1.76 any

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.79.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.24.48.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip host 192.168.1.76 host 172.24.7.77

access-list outside_4_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 134.54.112.0 255.255.240.0

access-list outside_5_cryptomap extended permit ip host 192.168.1.76 74.117.34.128 255.255.255.240

access-list outside_6_cryptomap extended permit ip host 192.168.1.76 204.16.167.128 255.255.255.240

access-list outside_7_cryptomap extended permit ip host 192.168.1.76 192.168.20.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip any 10.78.80.0 255.255.255.0

access-list outside_7_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_7_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_10_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 10.200.200.0 255.255.255.0

access-list outside_11_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list outside_cryptomap_45 extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list outside_12_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_13_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list outside_14_cryptomap extended permit ip host 192.168.1.34 192.168.253.0 255.255.255.0

access-list outside_15_cryptomap extended permit ip host 192.168.1.76 host 192.168.3.2

access-list outside_16_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_17_cryptomap extended permit ip host 192.168.1.76 host 192.168.50.17

access-list nat2VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0

Cisco Employee

VPN Client with Overlapping Private Networks?

Pls also share the static NAT statement: sh run static

New Member

VPN Client with Overlapping Private Networks?

Result of the command: "sh run static"

static (inside,outside) tcp 66.0.102.199 https 192.168.1.75 https netmask 255.255.255.255

static (inside,outside) tcp 66.0.102.199 www 192.168.1.75 www netmask 255.255.255.255

static (inside,outside) tcp 66.0.102.199 8081 192.168.1.75 8081 netmask 255.255.255.255

static (inside,outside) udp 66.0.102.248 16000 192.168.1.253 16000 netmask 255.255.255.255  dns

static (inside,outside) 66.0.102.205 192.168.1.19 netmask 255.255.255.255 dns

static (inside,outside) 66.0.171.242 192.168.1.10 netmask 255.255.255.255

static (inside,outside) 66.0.102.196 192.168.1.35 netmask 255.255.255.255

static (inside,outside) 66.0.102.195 192.168.1.6 netmask 255.255.255.255

static (inside,outside) 66.0.102.193 192.168.1.13 netmask 255.255.255.255

static (inside,outside) 66.0.102.194 192.168.1.14 netmask 255.255.255.255

static (inside,outside) 66.0.171.246 192.168.1.30 netmask 255.255.255.255

static (inside,outside) 66.0.102.198 192.168.1.211 netmask 255.255.255.255

static (inside,outside) 66.0.102.202 192.168.1.48 netmask 255.255.255.255

static (inside,outside) 66.0.102.204 192.168.1.7 netmask 255.255.255.255

static (inside,outside) 10.56.0.7  access-list NAT

static (inside,outside) 66.0.171.241  access-list inside_nat_static

static (inside,outside) 123.37.38.21 192.168.1.21 netmask 255.255.255.255

static (inside,outside) 123.37.38.22 192.168.1.22 netmask 255.255.255.255

static (inside,outside) 123.37.38.24 192.168.1.24 netmask 255.255.255.255

static (inside,outside) 123.37.38.25 192.168.1.25 netmask 255.255.255.255

static (inside,outside) 66.0.171.243 192.168.1.8 netmask 255.255.255.255

static (inside,outside) 123.37.38.37 192.168.1.37 netmask 255.255.255.255

static (inside,outside) 123.37.38.38 192.168.1.38 netmask 255.255.255.255

static (inside,outside) 123.37.38.39 192.168.1.39 netmask 255.255.255.255

static (inside,outside) 10.30.30.0  access-list nat2VPN

Cisco Employee

VPN Client with Overlapping Private Networks?

Your NONAT ACL overlaps with the static policy NAT and NONAT takes precedence over static policy NAT, that's why it's not working.

Please kindly remove the following:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

New Member

VPN Client with Overlapping Private Networks?

I missed this in my review:

The link is now working, can login and transmit files, connect by VNC to server and so on. (Can't ping, but no problem).

Thank you for all the help and patience in getting this resolved, this will help greatly.

2748
Views
0
Helpful
25
Replies
CreatePlease login to create content