Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN L2L - ASA 5520 - 8.3.1 -

Hi guys, i have ASA 5520 with many VPN LAN To LAN and VPN Remote Access. I have a issue with one VPN Lan To Lan where there is a overlap network
between our inside network and the remote peer. There is a VPN Lan To Lan with this configuration :

LAN (INSIDE) - 192.168.0.0/22            INSIDE ASA - 172.16.0.3 - OUTSIDE ASA 94.125.239.251

192.168.1.10 --------------------------------------------192.168.198.7 ---------------------------------------------192.168.201.221
 Real IP                                                 IP SOURCE NAT                                             IP DESTINATION NAT
 Server                                                                                                             (REMOTE PEER)
                                     
Flow without translation : From 192.168.1.10/32 TO 192.168.201.221/32 (NONAT)
Flow with translation :    From 192.168.1.10/32 TO 192.168.201.221/32 (IP SOURCE NAT 192.168.198.7) - CRYPTO
            
Flow without translation : From 192.168.201.221/32 TO 192.168.198.7/32 ---------------> FROM REMOTE PEER TO ASA - CRYPTO
Flow with translation :    From 192.168.198.7/32 TO 192.168.1.10/32 ------------------> STATIC NAT ASA
 

Below the configuration :

access-group Traffico-Outbound-Inside-Outside in interface INSIDE
access-list Traffico-Outbound-Inside-Outside extended permit ip host 192.168.1.10 host 192.168.201.221

access-list VPNL2LCryptoOasi extended permit ip host 192.168.198.7 host 192.168.201.221
access-list VPNL2LFilterOasi extended permit icmp host 192.168.201.221 host 192.168.198.7
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 range 1024 65535 host 192.168.198.7 eq 7006
access-list VPNL2LFilterOasi extended permit tcp host 192.168.201.221 eq 6006 host 192.168.198.7 range 1024 65535

nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (INSIDE,OUTSIDE) source static VPNnonat-192.168.198.7-src VPNnonat-192.168.198.7-src destination static VPNnonat-192.168.201.221-dst VPNnonat-192.168.201.221-dst

object network VPNL2LOasiNAT-IPSRC
 nat (OUTSIDE,INSIDE) static 192.168.1.10

crypto ipsec transform-set OasiBeeInsSet esp-aes esp-md5-hmac
crypto map outside_map 110 match address VPNL2LCryptoOasi
crypto map outside_map 110 set peer 194.185.233.36
crypto map outside_map 110 set transform-set OasiBeeInsSet

tunnel-group 194.185.233.36 type ipsec-l2l
tunnel-group 194.185.233.36 general-attributes
 default-group-policy 194.185.233.36
tunnel-group 194.185.233.36 ipsec-attributes
 pre-shared-key *****

group-policy 194.185.233.36 internal
group-policy 194.185.233.36 attributes
 vpn-filter value VPNL2LFilterOasi

When the server 192.168.1.10 in the INSIDE network try to telnet 192.168.201.221 6006 is all ok. But when the 192.168.201.221 telnet the 192.168.198.7 in the log i see :

Oct 24 06:29:57 172.16.0.3 Oct 24 2014 06:29:57 IDC-CISCOFWUS-02 : %ASA-6-302014: Teardown TCP connection 2051276 for OUTSIDE:192.168.201.221/59712 to OUTSIDE:192.168.198.7/7006 duration 0:00:00 bytes 0 Flow is a loopback
 
i tried to follow  link http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/ which in most discussion on cisco forum it is the example. In my configuration there is my situation :

For their 192.168.1.0/24 -> My host network is 192.168.1.10
For their 192.168.2.0/24 -> My host network is 192.168.198.7
For their 192.168.3.0/24 -> My host network is 192.168.201.221

So, here the my configuration :

nat (INSIDE,OUTSIDE) source dynamic VPNL2LOasiNAT-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNL2LOasiNAT-192.168.201.221-dst
nat (inside,outside) source static VPNnonat-192.168.1.10-src VPNL2LOasiNAT-IPSRC destination static VPNL2LOasiNAT-192.168.201.221-dst VPNnonat-192.168.1.10-src

object network VPNL2LOasiNAT-192.168.1.10-src
  nat (outside,inside) static 192.168.201.221
 
With this configuration, is not possible telnet 192.168.201.221 6006.

I tried to route INSIDE the 192.168.198.7 and there isn't the error in the log, but there is a SYN timeout on the packet about 192.168.198.7

 

14
Views
0
Helpful
0
Replies