Announcement

Collapse
No announcement yet.

Problem with ASA5505 and overlapping NAT VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with ASA5505 and overlapping NAT VPN

    Ok I am not really knowledgeable in English and in Cisco so let's try this

    at work we have 6 compagnies that are all set by Site to Site VPN with Juniper routers

    They have these adresses 192.168.1.0, 2.0 (Main Office) 3.0 4.0 5.0 6.0 all with 255.255.255.0 netmask

    We want to be able to connect to the VPN and access all the subnets

    It seems it's not possible to do in Juniper so we added a Cisco PIX 5505 for private measure I will hide some IP addresses

    So

    First I'm aware the IP adressing is bad, but the compagnies are so big it would take forever to change the Ips.

    Now How we are plugged (sorry no diagram)

    Intenet enter in the Port ETH0 of the cisco and the port ETH1 of the Cisco has the ip address of 192.168.15.2 255.255.255.252 that goes inside the port 04 of Juniper with the Ip adresse of 192.168.15.1 255.255.255.252

    We have the trust Interface of 192.168.2.0 255.255.255.0 in the port 02 of the Juniper and the other subnet are accessible from Tunnel interfaces of the Juniper

    If I go inside the Cisco Cli I can ping Everything

    Now my problem is

    If the customer that connects to the VPN has an IP adresss of exemple 192.168.2.0 255.255.255.0 they will be able to access all the subnets of the VPN exemple 192.168.2.0

    Same from someone with the local subnet of 192.168.1.0 cannot access the 192.168.1.0 Remote subnet.

    What my boss wants me to do (and we both have no idea how to do it is this)

    We have a server on the remote that that is 192.168.2.13

    So from a VPN client we wanna say exemple ping 192.168.112.13 when the cisco receives that command it translate the 192.168.112.13 to 192.168.2.13 and then fowards it to the Juniper that will foward it to the good subnet

    How can I do that?

    Here is my config


    ASA Version 8.2(1)
    !
    hostname ASA
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.15.2 255.255.255.252
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 67.205.111.184 255.255.255.224
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    object-group service grp_outside_in tcp
    description Ports require for internal forwarding
    port-object eq smtp
    port-object eq ssh
    access-list inside-out extended permit ip any any
    access-list inside-out extended permit icmp any any
    access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
    access-list split-tunnel extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
    pager lines 34
    logging enable
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool mobilepool 10.250.128.100-10.250.128.130 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no_nat
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 207.96.171.186 1
    route inside 192.168.0.0 255.255.248.0 192.168.15.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set mobileset
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
    crypto map mobilemap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.2.0 255.255.255.0 inside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy mobile_policy internal
    group-policy mobile_policy attributes
    split-tunnel-policy tunnelspecified
    tunnel-group mobilegroup type remote-access
    tunnel-group mobilegroup general-attributes
    address-pool mobilepool
    default-group-policy mobile_policy
    tunnel-group mobilegroup ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e90e45dc5d1433be4f7c2cff58c868b4
    : end


    Thanks really need to clear this ASAP
    Last edited by ratatapa; 30th March 2011, 15:15.

  • #2
    Re: Problem with ASA5505 and overlapping NAT VPN

    2nd problem I got and it's about that line

    route inside 192.168.0.0 255.255.248.0 192.168.15.1 1

    The problem I got with that line is simple


    Keep in mind that my 6 local network inside the company are

    192.168.1.0 2.0 3.0 4.0 5.0 6.0


    If My local subnet is exmple 192.168.1.0

    and my route says either 192.168.1.0 or 192.168.0.0 with the good subnets I cannot connect to the VPN at all it doesn't even ask me for my username password

    What Can I do?

    Thx for the help

    Comment

    Working...
    X