Cisco ASA: VPNs With Overlapping Subnets

KB ID 0001446

Problem

I’ve seen this pop up a few times in forums, and I’ve even seen people post “It cant be done, you will need to change one of the subnets,”  but to be honest, it’s not that difficult.

We simply have to do some NAT. This is the bit people struggle with, with VPNs usually we need to STOP NAT being applied to VPN traffic, and we still do, we simply NAT the traffic before we sent it over the tunnel. 

Normally overlapping networks can trip you up, in one of TWO scenarios;

Scenario 1 (The other end overlaps with YOU)

Scenario 2 (Two endpoints overlap with EACH OTHER)

Solution

Scenario 1 (The other end overlaps with YOU)

Firstly you need to pick another subnet for BOTH ends, and this is the subnet the other end will THINK it’s talking to, sometimes this is called an XLATED subnet, or a PSEUDO subnet, or a MASQUERADE subnet.

ASA-1 Config

Firstly we need THREE objects creating, (instead of the usual TWO). Then take note the syntax of the NAT statement;

[box]

!
object network OBJ-Site-A
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-A-XLATE
 subnet 172.16.1.0 255.255.255.0
object network OBJ-Site-B-XLATE
 subnet 172.16.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-XLATE destination static OBJ-Site-B-XLATE OBJ-Site-B-XLATE
!

[/box]

Note: Above, I’m assuming your interfaces are called inside and outside!

Now you need to create the ACL that will be used to define ‘interesting traffic’, i.e. traffic that will be encrypted, but unlike normal you will specify the XLATED addresses.

[box]

!
access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object OBJ-Site-A-XLATE object OBJ-Site-B-XLATE
!

[/box]

The rest of the VPN config is the same as normal, here I’m using IKEv2. If you have to use IKEv1 see the link at the bottom of the page.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

ASA-2 Config

As with most site to site VPN configs, the ‘other-end’ should be a mirror image, like so;

[box]

!
object network OBJ-Site-B
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-B-XLATE
 subnet 172.16.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
 subnet 172.16.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-B OBJ-Site-B-XLATE destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object OBJ-Site-B-XLATE object OBJ-Site-A-XLATE 
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

Scenario 2 (Two endpoints overlap with EACH OTHER)

Firstly you need to pick another subnet for BOTH of the ends with the overlapping subnet, and this is the subnet that your end will THINK it’s talking to, sometimes this is called an XLATED subnet, or a PSEUDO subnet, or a MASQUERADE subnet.

Then you will need to create TWO more, for the remote ends to TALK BACK TO.

Note: If you already have a VPN to one of the sites, then this process will replace that, and create one for the second site. So If you already have one tunnel you are going to need to either REMOVE it or change the NAT and Interesting traffic ACL. (Note: If you delete the ACL used by a crypto map, then it disapears from the crypto map! So you need to manually add it back). From this point forward I will assume we are creating BOTH tunnels from scratch.

ASA-1 Config

We need four objects for each XLATE, and two objects for the actual endpoints, (as two sites have the same REAL subnet we can use the same object for both). Then we create the NAT statements for each tunnel.

[box]

!
object network OBJ-Site-A
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-B-and-C
subnet 192.168.1.0 255.255.255.0
object network OBJ-Site-A-B-XLATE
subnet 10.1.1.0 255.255.255.0
object network OBJ-Site-A-C-XLATE
subnet 10.1.2.0 255.255.255.0
object network OBJ-Site-B-XLATE
subnet 172.16.1.0 255.255.255.0
object network OBJ-Site-C-XLATE
subnet 172.16.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-B-XLATE destination static OBJ-Site-B-XLATE OBJ-Site-B-and-C
nat (inside,outside) source static OBJ-Site-A OBJ-Site-A-C-XLATE destination static OBJ-Site-C-XLATE OBJ-Site-B-and-C
!

[/box]

Now you need to create the ACL that will be used to define ‘interesting traffic’, i.e. traffic that will be encrypted. But unlike normal you will specify the XLATED addresses.

[box]

!
access-list VPN-2-Site-B extended permit ip object OBJ-Site-A-B-XLATE object OBJ-Site-B-and-C
access-list VPN-2-Site-C extended permit ip object OBJ-Site-A-C-XLATE object OBJ-Site-B-and-C
!

[/box]

The rest of the VPN config is the same as normal, here I’m using IKEv2. If you have to use IKEv1 see the link at the bottom of the page.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
tunnel-group 3.3.3.3 type ipsec-l2l 
tunnel-group 3.3.3.3 ipsec-attributes 
pre-shared-key 1234567 
ikev2 remote-authentication pre-shared-key 1234567 
ikev2 local-authentication pre-shared-key 1234567 
isakmp keepalive threshold 10 retry 2 
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-2-Site-B
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP 2 match address VPN-2-Site-C 
crypto map CRYPTO-MAP 2 set peer 3.3.3.3 
crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

ASA-2 Config

Unusually, the remote end (sometimes referred to as a ‘spoke’) does not need to be a mirror image of the main site, this is because we are sending VPN traffic ‘back’ from 192.168.1.0/24, to the XLATED subnet 10.1.1.0/24.

[box]

!
object network OBJ-Site-B
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
subnet 10.1.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-B OBJ-Site-B destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-Site-B object OBJ-Site-A-XLATE
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

ASA-3 Config

Unusually the remote end (sometimes referred to as a ‘spoke’) does not need to be a mirror image of the main site, this is because we are sending VPN traffic ‘back’ from 192.168.1.0/24, to the XLATED subnet 10.1.2.0/24.

[box]

!
object network OBJ-Site-C
subnet 192.168.2.0 255.255.255.0
object network OBJ-Site-A-XLATE
subnet 10.1.2.0 255.255.255.0
!
nat (inside,outside) source static OBJ-Site-C OBJ-Site-C destination static OBJ-Site-A-XLATE OBJ-Site-A-XLATE
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-Site-C object OBJ-Site-A-XLATE
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING: If you already have VPNs then change CRYPTO-MAP (above) to the name of your existing crypto map.

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

MAC OSX – Connecting to Cisco IPSEC VPN

KB ID 0001197 

Problem

Here we are dealing with the older IPSEC VPN method of remote VPNs, NOT AnyConnect. There is/was a VPN client for Mac OSX which you can still download. But modern versions of OSX have the Cisco IPSec VPN client built into them. 

I’m assuming you have already configured the firewall, if not see the article below;

Cisco ASA5500 Client IPSEC VPN Access

Solution

Open your network preferences and add in a new connection > Interface = VPN > VPN Type = Cisco IPSec > Service Name = A sensible name you will recognise, (like connection to work, or home  etc.)

 

Server address is the public IP, (or name if you have DNS setup*) of your Cisco Firewall  > Enter your VPN username > I don’t put in the password, so I will have to type in in manually > Click Authentication Settings.

*For DNS you will need a static public IP, and a registered domain name. The ASA DOES NOT support DNS updates to online services like DynDNS or No-IP etc. It does support DDNS but means the server that leases you your public address is supposed to update your DNS for you, and unless you are your own ISP, and you host your own public DNS records, this wont work!

Here you need to supply the ‘shared secret’ for the VPN tunnel, and the Group Name. Your firewall admin should give these to you.  If they don’t know, tell them to run ‘more system:running-config’ on the firewall and give you the shared secret and ‘group-policy’/’tunnel-group’ name for this remote VPN  > OK.

Nearly every time you use DHCP, the firewall with either lease you an address from a ‘pool’ of VPN addresses, or broker the connection, and use your internal DHCP server.

Now to connect the VPN, select the icon shown, and click your Cisco VPN, (in the picture I have two).

If you didn’t put your password in during setup, you will be prompted to enter it to continue.

It does not work?

With all things Cisco, if there’s a problem your easiest way to a solution, is to run a ‘debug’ on the firewall. Execute the following two commands on the firewall, and attempt to connect again, this should point you in the right direction.

[box]

debug crypto isakmp 127
debug crypto ipsec 127

[/box]

Related Articles, References, Credits, or External Links

iPhone and iPad – Configure the Cisco VPN Client