Wednesday, December 3, 2014

Setting up a Site to Site (L2L) VPN Tunnel on a Cisco ASA 5505 when the remote end has an overlapping (conflicting) IP Range

A scenario I commonly run into is a client who wants to set up a Site to Site IPSec VPN tunnel to a vendor but cannot use their current IP scheme because it overlaps with another one of their business partners.  This is a fairly simple setup.

Public IP- 1.1.1.1
Private LAN- 192.168.0.0/24
Remote VPN LAN- 192.168.250.0/24
Remote Host IP- 2.2.2.2
Pre-Shared-Key- Key

So we're going to make up a "Natted" LAN for use on this tunnel.  We will use- 192.168.100.0/24.
Natted LAN- 192.168.100.0

First thing, create some object groups.

ASA (config)# object network LocalSubnet
ASA(config-network-object)# subnet 192.168.0.0 255.255.255.0
ASA (config)# object network LocalSubnetNAT
ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
ASA (config)# object network RemoteSubnet
ASA(config-network-object)# subnet 192.168.250.0 255.255.255.0



Next we create a NAT rule to un-NAT to that address.

ASA (config)# nat (inside,outside) source static LocalSubnet LocalSubnetNAT destination static RemoteSubnet RemoteSubnet



Now we create an ACL for the VPN tunnel.  Since VPN tunnels are processed after NAT, it will be from the Natted subnet to the remote subnet.

ASA (config)# access-list Tunnel extended permit ip object LocalSubnetNAT object RemoteSubnet



Now we build the tunnel like we normally would-
ASA (config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA (config)# crypto map outside_map 10 match address Tunnel
ASA (config)# crypto map outside_map 10 set peer 2.2.2.2
ASA (config)# crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
ASA (config)# crypto map outside_map interface outside
ASA (config)# crypto ikev1 enable outside
ASA (config)# crypto ikev1 policy 10
ASA(config-ikev1-policy)# authentication pre-share
ASA(config-ikev1-policy)# encryption 3des
ASA(config-ikev1-policy)# hash sha
ASA(config-ikev1-policy)# group 2
ASA(config-ikev1-policy)# lifetime 86400
ASA (config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA (config)# tunnel-group 2,2,2,2 ipsec-attributes
ASA(config-tunnel-ipsec)# ikev1 pre-shared-key Key


That's it!  




1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete