Cisco ASA: VPNs With Overlapping Subnets

KB ID 0001446

Problem

I’ve seen this pop up a few times in forums, and I’ve even seen people post “It cant be done, you will need to change one of the subnets,”  but to be honest, it’s not that difficult.

We simply have to do some NAT. This is the bit people struggle with, with VPNs usually we need to STOP NAT being applied to VPN traffic, and we still do, we simply NAT the traffic before we sent it over the tunnel. 

Normally overlapping networks can trip you up, in one of TWO scenarios;

Scenario 1 (The other end overlaps with YOU)

Scenario 2 (Two endpoints overlap with EACH OTHER)

Solution

Scenario 1 (The other end overlaps with YOU)

Firstly you need to pick another subnet for BOTH ends, and this is the subnet the other end will THINK it’s talking to, sometimes this is called an XLATED subnet, or a PSEUDO subnet, or a MASQUERADE subnet.

ASA-1 Config

Firstly we need THREE objects creating, (instead of the usual TWO). Then take note the syntax of the NAT statement;

[box]

!
object network OBJ-Site-A
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-A-XLATE
 subnet 172.16.1.0 255.255.255.0
object network OBJ-Site-B-XLATE
 subnet 172.16.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-XLATE destination static OBJ-Site-B-XLATE OBJ-Site-B-XLATE
!

[/box]

Note: Above, I’m assuming your interfaces are called inside and outside!

Now you need to create the ACL that will be used to define ‘interesting traffic’, i.e. traffic that will be encrypted, but unlike normal you will specify the XLATED addresses.

[box]

!
access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object OBJ-Site-A-XLATE object OBJ-Site-B-XLATE
!

[/box]

The rest of the VPN config is the same as normal, here I’m using IKEv2. If you have to use IKEv1 see the link at the bottom of the page.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

ASA-2 Config

As with most site to site VPN configs, the ‘other-end’ should be a mirror image, like so;

[box]

!
object network OBJ-Site-B
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-B-XLATE
 subnet 172.16.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
 subnet 172.16.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-B OBJ-Site-B-XLATE destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object OBJ-Site-B-XLATE object OBJ-Site-A-XLATE 
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

Scenario 2 (Two endpoints overlap with EACH OTHER)

Firstly you need to pick another subnet for BOTH of the ends with the overlapping subnet, and this is the subnet that your end will THINK it’s talking to, sometimes this is called an XLATED subnet, or a PSEUDO subnet, or a MASQUERADE subnet.

Then you will need to create TWO more, for the remote ends to TALK BACK TO.

Note: If you already have a VPN to one of the sites, then this process will replace that, and create one for the second site. So If you already have one tunnel you are going to need to either REMOVE it or change the NAT and Interesting traffic ACL. (Note: If you delete the ACL used by a crypto map, then it disapears from the crypto map! So you need to manually add it back). From this point forward I will assume we are creating BOTH tunnels from scratch.

ASA-1 Config

We need four objects for each XLATE, and two objects for the actual endpoints, (as two sites have the same REAL subnet we can use the same object for both). Then we create the NAT statements for each tunnel.

[box]

!
object network OBJ-Site-A
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-B-and-C
subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-A-B-XLATE
subnet 10.1.1.0 255.255.255.0
object network OBJ-Site-A-C-XLATE
subnet 10.1.2.0 255.255.255.0
object network OBJ-Site-B-XLATE
subnet 172.16.1.0 255.255.255.0
object network OBJ-Site-C-XLATE
subnet 172.16.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-B-XLATE destination static OBJ-Site-B-XLATE OBJ-Site-B-and-C
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-C-XLATE destination static OBJ-Site-C-XLATE OBJ-Site-B-and-C
!

[/box]

Now you need to create the ACL that will be used to define ‘interesting traffic’, i.e. traffic that will be encrypted. But unlike normal you will specify the XLATED addresses.

[box]

!
access-list VPN-2-Site-B extended permit ip object OBJ-Site-A-B-XLATE object OBJ-Site-B-and-C
access-list VPN-2-Site-C extended permit ip object OBJ-Site-A-C-XLATE object OBJ-Site-B-and-C
!

[/box]

The rest of the VPN config is the same as normal, here I’m using IKEv2. If you have to use IKEv1 see the link at the bottom of the page.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
tunnel-group 3.3.3.3 type ipsec-l2l 
tunnel-group 3.3.3.3 ipsec-attributes 
pre-shared-key 1234567 
ikev2 remote-authentication pre-shared-key 1234567 
ikev2 local-authentication pre-shared-key 1234567 
isakmp keepalive threshold 10 retry 2 
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-2-Site-B
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP 2 match address VPN-2-Site-C 
crypto map CRYPTO-MAP 2 set peer 3.3.3.3 
crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

ASA-2 Config

Unusually, the remote end (sometimes referred to as a ‘spoke’) does not need to be a mirror image of the main site, this is because we are sending VPN traffic ‘back’ from 192.168.1.0/24, to the XLATED subnet 10.1.1.0/24.

[box]

!
object network OBJ-Site-B
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
subnet 10.1.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-B OBJ-Site-B destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-Site-B object OBJ-Site-A-XLATE
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

ASA-3 Config

Unusually the remote end (sometimes referred to as a ‘spoke’) does not need to be a mirror image of the main site, this is because we are sending VPN traffic ‘back’ from 192.168.1.0/24, to the XLATED subnet 10.1.2.0/24.

[box]

!
object network OBJ-Site-C
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
subnet 10.1.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-C OBJ-Site-C destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-Site-C object OBJ-Site-A-XLATE
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

Cisco ASA ‘Ping Source?’

KB ID 0001445

Problem

To be honest, the title is a little misleading, on an ASA you can specify which interface to launch a ‘ping’ from, but that’s it. I found myself in a situation today where I was working on a client firewall and I was trying to bring up a VPN tunnel, and I did not have access to any of their machines, and nor did they, (hence the reason for the VPN tunnel!)

Well we can’t use good old fashioned ping and specify an IP that’s not one of the ASA’s interfaces, but we can use TCP PING.

Note: You need ASA version 8.4(1) or above to use ‘tcp ping’.

Solution

Whats TCP Ping? Well it uses TCP and sends SYN packets to the other end, and waits for the ACK packets to come back, thus testing communication. 

Warning: You need to know what ports are open on the other side, the default is port 80 so if theres no web server running on the other end, it wont reply. So TCP port 445 would be good for a windows machine, or TCP 3389  (RDP) if it’s a server with RDP enabled! Or TCP 22 if it’s Linux box with SSH enabled.

How does this help me bring up my VPN tunnel? Well it sends TCP SYN traffic from and to the IP addresses you should have in your VPN cryptomap, so the tunnel will try and establish, (assuming you configured both ends correctly!)

Here I’m using TCP53 (DNS,) as I know the server is a Windows DNS Server.

[box]

Petes-ASA# ping tcp
Interface: inside
Target IP address: 172.16.1.10
Destination port: [80] 53
Specify source? [n]: y
Source IP address: 192.168.200.10
Source port: [0] 1024
Repeat count: [5] {Enter}
Timeout in seconds: [2]{Enter}
Type escape sequence to abort.
Sending 5 TCP SYN requests to google port 53
from 192.168.200.10 starting port 1024, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Petes-ASA#

[/box]

And my VPN is now up!

Related Articles, References, Credits, or External Links

NA

Cisco Stacking 2960-X Catalyst Switches

KB ID 0001444

Problem

You can stack up to 8 2960-X Switches*, you will require the stack modules and cables, (shown below). 

*Note: If you are studying for an exam, and the question is StackWize the answer is 9.

Solution

Stack Modules: Power down the switch, remove the blanking plate and fit the module, then when powered on you can use a show inventory command to make sure the module has been detected correctly.

[box]

Switch#show inventory
NAME: "1", DESCR: "WS-C2960X-48FPD-L"
PID: WS-C2960X-48FPD-L , VID: V07 , SN: FCW2213B2XX
NAME: "Switch 1 - FlexStackPlus Module", DESCR: "Stacking Module"
PID: C2960X-STACK , VID: V02 , SN: FOC221410XX

Switch#
[/box]

Setting a Stack Master: If you do nothing and simply connect up a stack, then power it on, the switches have an ‘election’ and the one with the lowest MAC address becomes the master. This is a bit bobbins, so I prefer to configure a switch to be master by increasing its priority. This is a number between 1 and 15 (Highest wins) and all switches have a priority of 1 out of the box.

I typically set the ‘top’ switch as the stack master and set its priority to 15.

[box]

Switch#configure terminal
Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm]{Enter}	
New Priority has been set successfully

TO CONFIRM
Switch#show switch
Switch/Stack Mac Address : 5061.bf51.dd80
                                           H/W   Current
Switch#  Role   Mac Address     Priority Version  State
----------------------------------------------------------
*1       Master 5061.bf51.dd80     15     4       Ready


Switch#
[/box]

Then cable the switches together with the stack cables. If you are cabling two switches together then cable like so;

If cabling more switches , then cable stack port 1 of a switch, to port 2 of the switch below it, and keep going, then on the bottom switch cable port 1 back up to port 2 on the top switch (to make a ring).

Then power everything on, check the stack is up 

[box]

Switch#show switch detail
Switch/Stack Mac Address : 5061.bf51.dd80
                                           H/W   Current
Switch#  Role   Mac Address     Priority Version  State
----------------------------------------------------------
*1       Master 5061.bf51.dd80     15     4       Ready
 2       Member 5061.bf51.de00     1      4       Ready

         Stack Port Status             Neighbors
Switch#  Port 1     Port 2           Port 1   Port 2
--------------------------------------------------------
  1        Ok         Ok                2        2
  2        Ok         Ok                1        1

[/box]

Note: You can use ‘show switch stack-ports‘ to get the second half of that output only.

Check the switch stack ring;

[box]

Switch#show switch stack-ring speed

Stack Ring Speed        : 20G
Stack Ring Configuration: Full
Stack Ring Protocol     : FlexStack

[/box]

My Ring speed is only 20G? Yes thats correct 🙂

Cisco Say it’s supposed to be 80G? Yeah, marketing piffle sorry, with two rings at full duplex it’s rated at four times the bandwidth that’s where they get this figure from.

You can now configure all the interfaces from one management IP, note to select all the interfaces use the following syntax

[box]

Switch(config)#interface range gi1/0/1-48,gi2/0/1-48

[/box]

Related Articles, References, Credits, or External Links

Cisco Stacking 3750 Switches

HP BL460c (Gen 10) Blade No RAID?

KB ID 0001443

Problem

While spinning up some new BL460c (Gen 10) blades for a client, I noticed there was no RAID option? They were going to be VMware ESX hosts, and had two SSD drives so I just accepted the default and my ESX server saw a LUN for each drive and I created two DataStores on each host.

The client wanted them changing to RAID1 (fair enough) so I revisited the drive setup.

Solution

WARNING: Before you proceed enabling Smart Array S100i SR is NOT CURRENTLY SUPPORTED in VMware, (you wont even see a storage controller if you carry out the following procedure.) You will need a HPE Smart Array P204i-b SR instead!

Boot the server and Press (F9) > BIOS/Platform Configuration (RBSU) Storage Options > SATA Controller Option > Change the settings to “Smart Array SW RAID Support”.

These are new blank drives right? If so, accept the warning.

Now you can boot into Intelligent Provisioning (F10) > Launch Smart Storage Administrator > And now you can configure RAID.

Note: If you have a P204i-b SR RAID card, then it will look like this, (and will work fine with VMware.)

Related Articles, References, Credits, or External Links

NA

vSphere: Setup Domain Authentication via PSC

KB ID 0001442

Problem

If you separate your PSC (Platform Services Controller) and your vCenter, then you can setup domain authentication on your PSC.

Solution

Log into the web console of the PSC > Appliance Settings > Manage > Active Directory > Join > Supply a the domain name, a domain username and password > OK.

You will see it has been successful as now you have a ‘Leave‘ button.

Configuration > Identity Sources > Add.

Set Identity source type to ‘Active Directory (Integrated Windows Authentication)’ > Enter the domain name > ‘use machine account’ > OK.

Select the newly added domain > Click “Set as Default Domain‘.

Users and Groups > Groups > Administrators > Add.

Change the domain to your Windows domain > Search for your Group. (Note: I have created a group called VMware_Admins, you might simply want to use Domain Admins) > OK.

Select the group > Add.

Swap Over To Your vCenter Server

Select the vCenter > Permissions > Select the Administrator Role > Add.

Just as above, change domain and search for your group then add it in.

Related Articles, References, Credits, or External Links

NA

Mac OSX: ‘Cannot Send F11 Keystroke’

KB ID 0001441

Problem

I was building some HP blade servers today via iLO, and while trying to install ESX, I reached this stage;

Pressing F11 on a mac just increases the volume, and with the other function keys (F1 to F10) you simply press ‘fn’ and the appropriate F key, and it works properly. But not on a mac, ‘Fn+F11’ just shows you your desktop.

Even changing function keys in the keyboard settings has no effect!

Solution

System Preferences > Mission Control.

Change ‘Show Desktop’ to another key (in this case F13).

Problem solved!

Related Articles, References, Credits, or External Links