Problem with ASA5505 and overlapping NAT VPN
- This topic has 1 reply, 2 voices, and was last updated 9 years, 9 months ago by
.
-
Posts
-
Ok I am not really knowledgeable in English and in Cisco so let’s try this :)
at work we have 6 compagnies that are all set by Site to Site VPN with Juniper routers
They have these adresses 192.168.1.0, 2.0 (Main Office) 3.0 4.0 5.0 6.0 all with 255.255.255.0 netmask
We want to be able to connect to the VPN and access all the subnets
It seems it’s not possible to do in Juniper so we added a Cisco PIX 5505 for private measure I will hide some IP addresses
So
First I’m aware the IP adressing is bad, but the compagnies are so big it would take forever to change the Ips.
Now How we are plugged (sorry no diagram)
Intenet enter in the Port ETH0 of the cisco and the port ETH1 of the Cisco has the ip address of 192.168.15.2 255.255.255.252 that goes inside the port 04 of Juniper with the Ip adresse of 192.168.15.1 255.255.255.252
We have the trust Interface of 192.168.2.0 255.255.255.0 in the port 02 of the Juniper and the other subnet are accessible from Tunnel interfaces of the Juniper
If I go inside the Cisco Cli I can ping Everything
Now my problem is
If the customer that connects to the VPN has an IP adresss of exemple 192.168.2.0 255.255.255.0 they will be able to access all the subnets of the VPN exemple 192.168.2.0
Same from someone with the local subnet of 192.168.1.0 cannot access the 192.168.1.0 Remote subnet.
What my boss wants me to do (and we both have no idea how to do it is this)
We have a server on the remote that that is 192.168.2.13
So from a VPN client we wanna say exemple ping 192.168.112.13 when the cisco receives that command it translate the 192.168.112.13 to 192.168.2.13 and then fowards it to the Juniper that will foward it to the good subnet
How can I do that?
Here is my config
ASA Version 8.2(1)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.2 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 67.205.111.184 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service grp_outside_in tcp
description Ports require for internal forwarding
port-object eq smtp
port-object eq ssh
access-list inside-out extended permit ip any any
access-list inside-out extended permit icmp any any
access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
pager lines 34
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool mobilepool 10.250.128.100-10.250.128.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 207.96.171.186 1
route inside 192.168.0.0 255.255.248.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set mobileset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
crypto map mobilemap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mobile_policy internal
group-policy mobile_policy attributes
split-tunnel-policy tunnelspecified
tunnel-group mobilegroup type remote-access
tunnel-group mobilegroup general-attributes
address-pool mobilepool
default-group-policy mobile_policy
tunnel-group mobilegroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e90e45dc5d1433be4f7c2cff58c868b4
: endThanks really need to clear this ASAP
You must be logged in to reply to this topic.