RE: VPN Overlapping issue from Ryan West on 2009-10-07 (Ccielab archives 10/2009)

From: Ryan West <rwest_at_zyedge.com>
Date: Wed, 7 Oct 2009 08:43:27 -0400

Manoj,

Since 10.2.2.0/24 exists for both cust1 and cust3, I would take it off the table completely as a part of your encryption domain. Assign both sites a different RFC1918 address range for external communications, site1 (10.2.3.0/24) and site2 (10.2.4.0/24). Then apply your static NATs as follows:

Cust1
access-list policy-nat-cust2-cust3 ext permit ip 10.2.2.0 255.255.255.0 10.2.4.0 255.255.255.0
access-list policy-nat-cust2-cust3 ext permit ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0
static (inside,outside) 10.2.3.0 access-list policy-nat-cust2-cust3

crypto ACL:
access-list vpn_cust2 ext permit ip 10.2.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpn_cust3 ext permit ip 10.2.3.0 255.255.255.0 10.2.4.0 255.255.255.0

The same concept applies for cust3. From cust2 (nokia CP) perspective, your encryption domain is now to 10.2.3.0/24 and 10.2.4.0/24.

Then to see all this action, from the command prompt break out the packet-tracer. In particular Phase 8 is important, as this is where your translation takes places.

packet-tracer input inside icmp 10.2.2.10 8 0 10.2.4.254 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd675e668, priority=1, domain=permit, deny=false
        hits=269513404, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_inside in interface inside
access-list acl_inside extended permit icmp host 10.2.2.10 any echo
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6940118, priority=12, domain=permit, deny=false
        hits=3205, user_data=0xd69400d8, cs_id=0x0, flags=0x0, protocol=1
        src ip=10.2.2.10, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=2048, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd67603e8, priority=0, domain=permit-ip-option, deny=true
        hits=63557295, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd70ec7a8, priority=70, domain=inspect-icmp, deny=false
        hits=34540346, user_data=0xd70ec1e8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6760ad8, priority=66, domain=inspect-icmp-error, deny=false
        hits=34623880, user_data=0xd6760a08, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 10.2.3.0 access-list policy-nat-cust2-cust3
  match ip inside 10.2.2.0 255.255.255.0 outside 10.2.4.0 255.255.255.0
    static translation to 10.2.3.0
    translate_hits = 1028010, untranslate_hits = 0
Additional Information:
Static translate 10.2.2.0/0 to 10.2.3.0/0 using netmask 255.255.255.0
Forward Flow based lookup yields rule:
in id=0xd6907c58, priority=5, domain=nat, deny=false
        hits=1032212, user_data=0xd6907430, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.2.2.0, mask=255.255.255.0, port=0
        dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7e757a0, priority=70, domain=encrypt, deny=false
        hits=24687, user_data=0x143ac44c, cs_id=0xd6efc0a8, reverse, flags=0x0, protocol=0
        src ip=10.2.3.0, mask=255.255.255.0, port=0
        dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7af97f8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=24752, user_data=0x143b3d44, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.2.4.0, mask=255.255.255.0, port=0
        dst ip=10.2.3.0, mask=255.255.255.0, port=0, dscp=0x0

Hope that clears things up.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of manoj prajapati
Sent: Wednesday, October 07, 2009 4:01 AM
To: Piotr Matusiak
Cc: cisco_at_groupstudy.com; Cisco certification
Subject: Re: VPN Overlapping issue

Hi Matusiak,

You mean to say static NAT with 10.2.2.0 --- 172.16.1.1(different
subnet) ??
where we need to do ?? on cust1,cust2 or cust3 ?

after applying the static nat (inside, outside). so wat will be the ACL
entry ??
can you please describe in brief.

Regards,
Manoj

On Wed, Oct 7, 2009 at 1:25 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:

> Hi,
>
> Is there any NAT along in the path?
> I think you should perform static NAT on PIX or ASA for all hosts in
> 10.2.2.0 network. Then CheckPoint will see different IP addresses from
> one direction and there will be no conflict anymore.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
>
> 2009/10/7 manoj prajapati <manoj4784_at_gmail.com>:
> > Dear Techie,
> >
> > Having a doubts in Site to site VPN,
> >
> > I have 3 customer, cust1--- cust2 ---- cust3,
> >
> > the private ip address is ,
> > Cust1 ---- 10.2.2.0 (PIX)
> > Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
> > Cust3 ---- 10.2.2.0 (ASA)
> >
> > connectivity is Cust1 ---- Cust2 ---- Cust3
> > | | |
> > 10.2.2.0 10.10.10.0 10.2.2.0
> >
> > I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also
> > Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip
> > address range. So, when establishing a VPN tunnel in Cust2 with cust2 to
> > cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0
> > series range.
> >
> > I know that there is an overlapping network. have seen the cisco site as
> > well
> >
> >
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
> >
> > But this is somewhat different scenario as i understand.
> >
> > Can anyone help me to resolve the issue.
> > Thanx
> >
> > Regards,
> > Manoj
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 07 2009 - 08:43:27 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART