Cisco VPN :: ASA 5510 / VPN Client With Overlapping Private Networks?

Jun 6, 2012

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
 
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
 
Can this work if their are no duplication of IP addresses?

View 25 Replies


ADVERTISEMENT

Cisco VPN :: ASA 5510 / LAN-to-LAN IPsec VPN With Overlapping Networks?

Feb 14, 2012

I'm trying to connect two operlapping networks via IPsec.

Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
 
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
 
static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound
 
which results in:
 
WARNING: real-address conflict with existing static
  TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: real-address conflict with existing static

[code]...

View 2 Replies View Related

Cisco Firewall :: ASA 8.3 NAT Overlapping Networks?

Apr 18, 2011

how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below).  I'm able to ping from host1 to 40.40.40.2 (host 2) and it works, as does pinging from host 2 to 50.50.50.2 (host 1).  The issue I'm having now is that I've replaced that router with another ASA (second configuration below).  Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well.  I'm only seeing issues when using two ASAs.  I've verified that ICMP and telnet are permited inbound on the ASAs as well.  I even tried seperating the final host with another router (third configuration).

Initial configuration:
 
Host 1 --------------------------- Router -------------------------- ASA--------------------------- Router ---------------------- Host 2
30.30.30.2                    e0: 30.30.30.1                 in: 10.10.10.2               e1: 20.20.20.1             30.30.30.2
NAT: 50.50.50.2            e1: 10.10.10.1               out: 20.20.20.2               e0: 30.30.30.1             NAT: 40.40.40.2

[code]....

View 1 Replies View Related

Cisco WAN :: How Many Private Networks 2800 Supports

Oct 29, 2011

i have two cisco 2800 routers ,  and i have three different networks , so can cisco routers supports more than one private network example,My First location i have one public connection of 200.100.100. 1 and private network of 192.168.1.x network and the second router i have one public connection of 200.100.100.10 and two private networks of 192.168.50.x  and 192.168.60.x ,  So can i route my first location to this two different networks , because my router have only two FastEthernet connection , so how it's possible or not.

View 3 Replies View Related

Cisco VPN :: ASA 5505 - Access Two Private Networks

Dec 4, 2011

i have Cisco 5505 and i configured a remote VPN clients.  here is my scenario
 
Cisco switch 2950   ===  holds two private network 192.168.8.x  and 192.168.4.x
  
vlan 2  outside interface -    Eth 0/0       155.155.155.x
 
Vlan 1 inside interface --       Eth 0/1    192.168.8.180
 
 VPN pool ip address  =  192.168.8.100 --110
 
I drag i cable from my Cisco switch and put in to Eth0/1. and i want to access this two private networks 192.168.4.x and 192.168.8.x . Now i can access to 192.168.8.x . But i can't access 192.168.4.x ..

View 3 Replies View Related

Cisco Routers :: RV042 Route Between Two Private Networks And One ISP

Nov 2, 2011

I have two private networks and want/need to route traffic between them.  I also have an ISP connection and want/need to provide internet to at least one of the private networks.  Providing internet access to both is not required or desired.
 
Can this be accomplished with an RV042?  If so, how?
 
P.s.  The problem space, once again, in a non-narrative form with some addresses thrown in:
 
Private Network A: 192.168.200.0/24
Private Network B: 10.50.3.96/27
ISP Network C: 192.168.0.0/24 192.168.0.1GW   192.168.0.2 is WAN1 address on RV042
 
Required Traffic Flow
A <--> B
A  ---> C

View 3 Replies View Related

Cisco WAN :: 3750G - Dynamic Routing Between Private Networks

Mar 13, 2011

how to redistribute routes between three independently managed private networks.

Currently: See attachment The two buildings managed by Company 1 are connected by 4x1GB fibre channel ports on Cisco 3750G Standard Image switches. Static routing is used between the two building and static routes are used to direct traffic to Company 2 and Company 3 via routers managed by their respective companies. No NAT is required as all three companies use separate private address schemes.

Network Improvements: See attachment To increase network resilience Companies 2 and Company 3 are planning on installing new routers in building 2. Companies 2 and 3 use Dynamic routing protocols on their internal network.  Incoming and outgoing resilience is required in all three companies.  There is no direct connectivity between Company 2 and 3.

I would like the following questions answered:

1. Is dynamic routing needed in Company 1?

2. Given that only 4 devices are managed by Company 1 will RIPv2 work? NB. Company 2 and 3 have very large networks (3000+ sites).

3. Would route redistribution be best performed on Company 2 and 3’s CE routers?

4. How can route redistribution be controlled by Company 1?

View 4 Replies View Related

Cisco :: Dealing With Security When Merging Private And Public Networks?

Jul 18, 2011

We have a private network, multiple vlans etc. for our domain users/employees across several amenities. We also have a Public network, that we have managed by a 3rd party for guests/conference rooms/attendees.Private network is all static ips, mac restricted port security, as strict as possible from a security and PCI Compliance standpoint. The public network is all DHCP with hundreds of users. Having them physically separate has always been the best option. Separate switches, server, and I even have the uplinks separated on a 3825 router. However, unfortunately it seems as though that luxury is coming to an end.One of the meetings that is taking place is going to be at one of our outer amenities so I've got to push that "public" network through my network, over my backhaul to the other side.

My suggestion was to create a new vlan on the switches with the shortest path possible to get where it needs to go. This way the traffic never goes through our ASA, and it has a small footprint on our network, it plugs into the switch access port with the dedicated vlan at the entry point into our network, and leaves from an access port on the other end. To me that seems to be the best/most secure way to handle it. We're also in the process of rolling out Public Wifi through the entire property and since we'll want to push both Public and Private vlans over it....merging the two networks to a point is only inevitable. Especially since it will be going through a controller and the property covers a good 7000 acres.

A good IDS/IPS...other than already having port security on every port, I'd definitely like to know if somebody inadvertently cross connects the two networks and it starts flooding whatever vlan access port it's plugged in to with dhcp...especially since a lot of the laptop users on the domain are set to DHCP first with a static in the alternate for working at the office and remote.

View 2 Replies View Related

Cisco Firewall :: Two Private Networks On ASA5510 With Default ISP Gateway?

Mar 11, 2013

Currently a network consists of two subnets, one subnet is behind a ASA and the other behind a PIX, both connecting to the ISP's routers. If the PIX is retired, is it possible to create/consolidate the two networks protected by the ASA5510 with the default gateway being the ISP?
 
How can two private networks be protected by the ASA5510? One conceptual way is to create the VLANS on a layer 3 switch, on the "inside" interface of the ASA. In this senario what would the "inside" network's IP address?  If the above is possible, how would natting occur?
 
Is there an efficient configuration to protect two networks protected by the 5510, other than creating a DMZ?
 
Is it possible to create two private networks with same level of security, 100 on a three network interface connections?

View 12 Replies View Related

Multiple Private Networks Allowing Access To Printer?

Apr 10, 2013

I am looking to create an office network with each person having internet access but on a private network. however everyone will need to be able to access a communal printer. would they be able to see it if they were all on a different subnet or would i need to set up vlans?

View 4 Replies View Related

Routers / Switches :: Office VOIP With Multiple Private Networks?

Jan 23, 2011

I'm going to move offices into a shared situation with 3 companies. Each company will want its own private network so there's no snooping between companies. I am planning on using VOIP for the phone system (Nextiva cloud based). Is it possible to set up the system so that each company has access to the VOIP system but yet remains sequestered in the their own network for everything else. I was hoping to do this with one data port at each workstation using Cisco SPA-303 phones. The way I understand this, is that the phone plugs in to the data port and you daisy chain the workstation off from each phone. Is this possible to do this while having the system I described? Another wrinkle is that I'd also like all the networks to be access shared printers.

View 7 Replies View Related

Cisco Switching/Routing :: 3750V - Mixing Public And Private Networks On Same Switch

Oct 23, 2012

We have many remote offices that we want to add public wifi and a couple of other services that would be completely outside of our internal network.  Each office has a 3750 with plenty of open ports.  How can I safely create a vlan for public access on these switches which currently have our internal network on.  I have read that people are doing this to save on the cost of purchasing a dedicated switch.  Some people are using access lists and one person mentioned creating a private vlan for the public network.  I looked up private vlan and it seemed bit confusing.

View 3 Replies View Related

Cisco WAN :: Asa 5510 With Private Ip Address On Wan

Feb 8, 2012

i recently get high speed link for my compagny to replace the old frame realy.the internet service provider gave me a non routable range to set on my asa  like this : [code]then the ISP tell my public ip wan range was x4.23.209.166/29.i made this kind of configuration works when i put a cisco routeur in befor the cisco asa like this: [code] it is possible to make this works on cisco asa 5510 without putting a router in front ?if it works problem can happen to establishing vpn from the outside interface having a private ip ?

View 6 Replies View Related

Cisco Firewall :: Map Public IP To Private In DMZ In ASA 5510?

Jul 22, 2012

I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and  another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.

View 9 Replies View Related

Cisco Firewall :: 5510 NAT Public Ip To Private

Sep 5, 2012

We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.

View 7 Replies View Related

Cisco WAN :: ASA 5510 / Cannot Access Internet From Private Network?

May 1, 2013

I'm setting up a Cisco ASA 5510.I did the setup for my public and private interface.From the management software I can ping any outside domain using my public interface, but when I try to do that from my private interface I cannot.Also for some reason my ip phone connected to the private interface work (I'm able to make and receive call), but any computer that I connect to the private interface I cannot access the internet.

View 1 Replies View Related

Cisco VPN :: 5510 Unable To Ping Any Off Private IPs At HQ From New Branch

Jun 25, 2012

We have had a successful site to site vpn working for several months now. It is an ASA 5510 at HQ to a ASA 5505 at a branch office in another state. We just added a second site to site vpn in another state this time from HQ to a Sonicwall TZ100. After plugging in the Sonicwall to the Qwest modem in bridge mode the tunnel came right up. I was unable to to ping any off the private IPs at HQ from the new branch, but was able to use remote desktop into the servers and workstations at HQ. Also all the computers show up when browsing the network from the new branch.
 
At the first branch we are able to ping both ways and use remote desktop both ways.When using packet tracer in ASDM on the HQ ASA and pinging from one of the IPs in the HQ protected network to an IP in the new branch network NAT-EXEMPT looks good, but when it hits the first NAT it matches on the "dynamic translation to pool 10 (10.1.255.254) [Interface PAT]" (which is the default route for all the vlans to get to the Internet.)The next NAT (subtype - host-limits) looks better and this one going to the IP address of the outside interface of the HQ ASA 5510, but then the third NAT (Subtype - rpf-check) reverts back to the "10 (10.1.255.254) Interface PAT]" and the packet is DROPPED. Also there is no VPN step in Packet Tracer after NAT.[code]
 
Is the problem possibly due to the fact that my 2 new ACLs for "encrypt_acl-30" fall after "access-list global_mpc extended permit tcp any any" in the config and it is running into the implicit deny all?

View 8 Replies View Related

Cisco VPN :: ASA 5505 - Twice NAT Across Site To Site Tunnel With Same Private Networks

Mar 30, 2013

I'm currently trying to configure a Site to Site tunnel between an IOS Router and an ASA 5505 running 9.1
 
When the private subnet of the IOS Router was 10.0.0.0/24 and the private subnet of the ASA was 172.16.1.0/24, it connected fine.
 
I'm now trying to set it up where both private networks are 10.0.0.0/24, and created network objects, edited the ACL for interesting traffic, and created the twice NAT translation rule, but the tunnels aren't coming up.
 
There is the IOS Router(R1) and the ASA(F2). In between them is one Internet posing router that is just set up to allow both sides to reach their WAN addresses.
 
R1 and F2 have private network (10.0.0.0/24) and need to communicate. Twice NAT can be done all on the ASA to allow this, but I must be doing something wrong. The way I understand it, is that the R1 should see the traffic coming from 10.51.0.0/24 and sending to that traffic. The ASA will take that traffic, and the inside network should see it come inbound as 10.50.0.0/24. So the F2 private network communicates with 10.50.0.0/24 and R1 private network sends traffic to 10.51.0.0/24.
 
I turned on "Debug crypto ipsec" and "debug crypto isakmp" but no output is showing up or giving any hint that it is trying to establish anything. 
 
R1#show run 
version 12.4
hostname R1
crypto isakmp policy 50encr 3desauthentication pre-sharegroup 2crypto isakmp key cisco address 10.2.0.254

[Code]......

View 3 Replies View Related

Cisco VPN :: 861 Easy VPN Software Client Unable To Access Few Networks

Feb 19, 2013

I have access to network 10.3.1.0 /24 but I am not able to access 10.3.2.0/24 and other networks behind the Easy VPN server.I am using a software client to connect to the server.I have configured split tunnel to the network 10.3.0.0 /16 and it shows up in the route details too. I can ping 10.3.1.0 network but not 10.3.2.0 and so on.The Easy VPN server is configured on Cisco 861 with VPN module. [code]

View 6 Replies View Related

Cisco VPN :: ASA5520 - IPSec VPN Client And Multiple Target Networks

Sep 9, 2012

I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.

View 5 Replies View Related

Cisco :: Overlapping IP Ranges?

Jun 1, 2012

I am trying to trouble-shoot / map out a large network with a freaking butt load of over lapping IP addresses

View 8 Replies View Related

Cisco Firewall :: ASA 5510 Cannot Talk To Remote Networks Connected

Mar 20, 2012

We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.

View 8 Replies View Related

Cisco Firewall :: ASA 5510 - Unable To Communicate Between Interface Networks

Apr 20, 2011

I have an  ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired. Below are the interfaces, security and  ip addresses .
 
Ethernet0/0   DC_SERVER   security-level 100
ip address 172.16.11.12 255.255.255.0 
Ethernet0/1  Branches  security-level 50

[Code]....

View 1 Replies View Related

Cisco VPN :: 5510 Anyconnect Unable To Reach Internal Networks

Sep 18, 2012

I have ASA 5510 and configured client VPN or Annyconnect VPN, when I connect to the ASA remotely using anyconnect I am able to get IP address as configued, from Internal network I can ping and RDP that anyconnect VPN desktop, but the problem is from the remote anyconnect VPN client I am unable to access internal network, when I use ASA packet tracer and check traffic from internal to anyconnect pool of addresses it gives result ok, but when i use packet tracer to check traffic on outside interface from  anyconnect address pool to internal subnet it always gives the packet is dropped at WebVPN - SVC, and I can find any where related configuration for that.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 / Unable To Get Internal Networks Talking To Each Other

Apr 22, 2012

I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:

192.168.0.0/24
192.168.43.0/24 (the intended migration network)
 
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
 
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names

[code]......
 
Upgrading the firmware is not really an option?

View 3 Replies View Related

Cisco VPN :: 5510 / 5505 - Connect 2 Networks Via ASA Software Version 8.41

Feb 22, 2011

I use a ASA 5510 and a ASA 5505 and want to connect 2 networks via VPN ASA software version is 8.41. Network 1 has address 192.168.90.0 Network 2 has the address 192.168.5.0 I use site to site VPN wizard on both asa and create the VPN connection. do I need to create acl after that?the PCs on network 1 must have access to a resource in the network 2 how do I create static routing to connect the both Network.

View 1 Replies View Related

Cisco Switching/Routing :: 10.10.10.10 / Outside NAT With Overlapping IPs In VRFs?

Apr 7, 2013

I have 10.10.10.10 in 2 VRFs (lite) on 2 different VLANs What i would like to achieve:- if i connect to 172.16.7.125 in the global VRF then translate it to VRF1 10.10.10.10 destination address.- if i connect to 172.16.3.162 in the global VRF then translate it to VRF2 10.10.10.10 destination address  IMHO the solution is quite simple:ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1 ip nat outside source static 10.10.10.10 176.16.3.162 vrf VRF2 However the router thinks something else:

R1(config)# ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1
R1(config)# ip nat outside source static 10.10.10.10 176.16.3.162 vrf VRF2% 10.10.10.10 already mapped (172.16.7.125 -> 10.10.10.10)
 
IMHO this configuration should be valid. The global VRF has two IPs (172.16.7.125 and 172.16.3.162) while the 2 other VRFs work happily with the two identical 10.10.10.10 destinations as they should. The two translations should be easily distinguished as these are from two different VRFs.Either i am missing something or it is a problem in IOS.
 
IOS is 12.4(25f)
HW is 3845

View 1 Replies View Related

Cisco WAN :: How To Handle Non-overlapping Subnets With ASA 5520

Nov 25, 2011

Our IPS has given us a second range of IPs as we were running out.  Unfortunately, they can only give us two non overlapping range.  I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges.  This is not a failover scenario -- and I need outward facing servers on both ranges.  It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans.  As there are two subnet there are two gateways.  How do I keep the traffic on track?

View 4 Replies View Related

Cisco VPN :: 5510 Vpn Client With No Nat

Jan 26, 2011

i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.What do i need added to allow remote ends without a nat device to also work?

View 4 Replies View Related

Cisco VPN :: Asa 5510 And Pix 515 VPN Client

Jan 1, 2012

Since last week we are having problems with remote users working with VPN client on Windows XP.The connection is stablished but no data traffic occurs. 

As we didn't do any change in vpn remote settings I did a test from Linux machine running VPNC client and it works well.It sounds so weird because it happens only on Windows client platform.We have CISCO ASA 5510 and PIX 515 running 8.0(4).

View 4 Replies View Related

Cisco VPN :: Unable To SIP Through ASA 5510 Client>

Feb 24, 2012

I have configured VPN client on my ASA 5510,

I am trying now to telnet my call manager on port 5060 and on port 2000.

When i am connected localy i am able to telnet both ports, but when i am trying to connect through cisco VPN client i am able to telnet the port 2000 and not able to telnet 5060. Both ports are on the same call manager.

When using windows VPN i am able to telnet both ports.

if i removed inspect SIP from: policy-map global_policy class inspection_default

View 8 Replies View Related

Cisco VPN :: Can't Ping Anything From Client - ASA 5510

Nov 15, 2011

I have a VPN client running on a laptop connected a DSL circuit. The VPN client is configured correctly for an external address on another firewall, this external firewall passes through ISAKMP / IPSEC to an ASA where it terminates. The client authenticates and gets an address from the client pool (VPNCLIENTS – 10.2.16.x / 24) and the tunnel completes with no problems. From the internal ASA I can ping any internal network behind the 10.0.3.240 interface (INSIDE) and I have a route on the inside network to get to the 10.2.16/0 clients to point to this address (10.0.3.240). All good so far.
 
Now the problems begin. I cant ping anything from the VPN clients (10.2.16.0) network to anywhere, I cant ping any interface on the ASA or any internal network. I also cant ping the client from the ASA and therefore not from the internal network either. This configuration is bare bones configuration so I don’t even have the NAT exception rules added. Network diagram attached too.
 
interface Ethernet0/0
nameif outside
security-level 0

[Code]......

View 3 Replies View Related

Cisco VPN :: 5510 Configured Client-less SSL VPN

Aug 9, 2011

I am having an ASA 5510 and have configured Clientless SSL VPN in it. Now I need to allow my SSL VPN user to access on a particular application(like mspaint.exe for example).When the user login to the SSL VPN, he should see only the particular aplication or must be able to access on the particular application.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved