No announcement yet.

Problem with ASA5505 and overlapping NAT VPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with ASA5505 and overlapping NAT VPN

    Ok I am not really knowledgeable in English and in Cisco so let's try this

    at work we have 6 compagnies that are all set by Site to Site VPN with Juniper routers

    They have these adresses, 2.0 (Main Office) 3.0 4.0 5.0 6.0 all with netmask

    We want to be able to connect to the VPN and access all the subnets

    It seems it's not possible to do in Juniper so we added a Cisco PIX 5505 for private measure I will hide some IP addresses


    First I'm aware the IP adressing is bad, but the compagnies are so big it would take forever to change the Ips.

    Now How we are plugged (sorry no diagram)

    Intenet enter in the Port ETH0 of the cisco and the port ETH1 of the Cisco has the ip address of that goes inside the port 04 of Juniper with the Ip adresse of

    We have the trust Interface of in the port 02 of the Juniper and the other subnet are accessible from Tunnel interfaces of the Juniper

    If I go inside the Cisco Cli I can ping Everything

    Now my problem is

    If the customer that connects to the VPN has an IP adresss of exemple they will be able to access all the subnets of the VPN exemple

    Same from someone with the local subnet of cannot access the Remote subnet.

    What my boss wants me to do (and we both have no idea how to do it is this)

    We have a server on the remote that that is

    So from a VPN client we wanna say exemple ping when the cisco receives that command it translate the to and then fowards it to the Juniper that will foward it to the good subnet

    How can I do that?

    Here is my config

    ASA Version 8.2(1)
    hostname ASA
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    object-group service grp_outside_in tcp
    description Ports require for internal forwarding
    port-object eq smtp
    port-object eq ssh
    access-list inside-out extended permit ip any any
    access-list inside-out extended permit icmp any any
    access-list no_nat extended permit ip
    access-list split-tunnel extended permit ip
    pager lines 34
    logging enable
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool mobilepool mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no_nat
    nat (inside) 1
    route outside 1
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set mobileset
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
    crypto map mobilemap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh inside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy mobile_policy internal
    group-policy mobile_policy attributes
    split-tunnel-policy tunnelspecified
    tunnel-group mobilegroup type remote-access
    tunnel-group mobilegroup general-attributes
    address-pool mobilepool
    default-group-policy mobile_policy
    tunnel-group mobilegroup ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

    Thanks really need to clear this ASAP
    Last edited by ratatapa; 30th March 2011, 15:15.

  • #2
    Re: Problem with ASA5505 and overlapping NAT VPN

    2nd problem I got and it's about that line

    route inside 1

    The problem I got with that line is simple

    Keep in mind that my 6 local network inside the company are 2.0 3.0 4.0 5.0 6.0

    If My local subnet is exmple

    and my route says either or with the good subnets I cannot connect to the VPN at all it doesn't even ask me for my username password

    What Can I do?

    Thx for the help