Re: VPN Overlapping issue

Hi Ryan,

    Very good explanation, Done the same as u have said........

Now i m able to ping the customer end (CUST2)server. But, *Unable to browse
internet* from Cust1. Is there anything to do with? applied and remove the
nonat statement. nothing is happening

Regards,
Manoj

On 10/7/09, Ryan West <rwest_at_zyedge.com> wrote:
>
> Manoj,
>
> Since 10.2.2.0/24 exists for both cust1 and cust3, I would take it off the
> table completely as a part of your encryption domain. Assign both sites a
> different RFC1918 address range for external communications, site1 (
> 10.2.3.0/24) and site2 (10.2.4.0/24). Then apply your static NATs as
> follows:
>
> Cust1
> access-list policy-nat-cust2-cust3 ext permit ip 10.2.2.0 255.255.255.0
> 10.2.4.0 255.255.255.0
> access-list policy-nat-cust2-cust3 ext permit ip 10.2.2.0 255.255.255.0
> 10.10.10.0 255.255.255.0
> static (inside,outside) 10.2.3.0 access-list policy-nat-cust2-cust3
>
> crypto ACL:
> access-list vpn_cust2 ext permit ip 10.2.3.0 255.255.255.0 10.10.10.0
> 255.255.255.0
> access-list vpn_cust3 ext permit ip 10.2.3.0 255.255.255.0 10.2.4.0
> 255.255.255.0
>
> The same concept applies for cust3. From cust2 (nokia CP) perspective,
> your encryption domain is now to 10.2.3.0/24 and 10.2.4.0/24.
>
> Then to see all this action, from the command prompt break out the
> packet-tracer. In particular Phase 8 is important, as this is where your
> translation takes places.
>
> packet-tracer input inside icmp 10.2.2.10 8 0 10.2.4.254 detailed
>
> Phase: 1
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0xd675e668, priority=1, domain=permit, deny=false
> hits=269513404, user_data=0x0, cs_id=0x0, l3_type=0x8
> src mac=0000.0000.0000, mask=0000.0000.0000
> dst mac=0000.0000.0000, mask=0000.0000.0000
>
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 0.0.0.0 0.0.0.0 outside
>
> Phase: 4
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group acl_inside in interface inside
> access-list acl_inside extended permit icmp host 10.2.2.10 any echo
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0xd6940118, priority=12, domain=permit, deny=false
> hits=3205, user_data=0xd69400d8, cs_id=0x0, flags=0x0, protocol=1
> src ip=10.2.2.10, mask=255.255.255.255, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=2048, dscp=0x0
>
> Phase: 5
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0xd67603e8, priority=0, domain=permit-ip-option, deny=true
> hits=63557295, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 6
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> class-map inspection_default
> match default-inspection-traffic
> policy-map global_policy
> class inspection_default
> inspect icmp
> service-policy global_policy global
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0xd70ec7a8, priority=70, domain=inspect-icmp, deny=false
> hits=34540346, user_data=0xd70ec1e8, cs_id=0x0, use_real_addr,
> flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 7
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0xd6760ad8, priority=66, domain=inspect-icmp-error, deny=false
> hits=34623880, user_data=0xd6760a08, cs_id=0x0, use_real_addr,
> flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 8
> Type: NAT
> Subtype:
> Result: ALLOW
> Config:
> static (inside,outside) 10.2.3.0 access-list policy-nat-cust2-cust3
> match ip inside 10.2.2.0 255.255.255.0 outside 10.2.4.0 255.255.255.0
> static translation to 10.2.3.0
> translate_hits = 1028010, untranslate_hits = 0
> Additional Information:
> Static translate 10.2.2.0/0 to 10.2.3.0/0 using netmask 255.255.255.0
> Forward Flow based lookup yields rule:
> in id=0xd6907c58, priority=5, domain=nat, deny=false
> hits=1032212, user_data=0xd6907430, cs_id=0x0, flags=0x0, protocol=0
> src ip=10.2.2.0, mask=255.255.255.0, port=0
> dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0
>
> Phase: 9
> Type: NAT
> Subtype: host-limits
> Result: ALLOW
> Config:
>
>
> Phase: 10
> Type: VPN
> Subtype: encrypt
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> out id=0xd7e757a0, priority=70, domain=encrypt, deny=false
> hits=24687, user_data=0x143ac44c, cs_id=0xd6efc0a8, reverse,
> flags=0x0, protocol=0
> src ip=10.2.3.0, mask=255.255.255.0, port=0
> dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0
>
> Phase: 11
> Type: VPN
> Subtype: ipsec-tunnel-flow
> Result: ALLOW
> Config:
> Additional Information:
> Reverse Flow based lookup yields rule:
> in id=0xd7af97f8, priority=69, domain=ipsec-tunnel-flow, deny=false
> hits=24752, user_data=0x143b3d44, cs_id=0x0, reverse, flags=0x0,
> protocol=0
> src ip=10.2.4.0, mask=255.255.255.0, port=0
> dst ip=10.2.3.0, mask=255.255.255.0, port=0, dscp=0x0
>
> Hope that clears things up.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> manoj prajapati
> Sent: Wednesday, October 07, 2009 4:01 AM
> To: Piotr Matusiak
> Cc: cisco_at_groupstudy.com; Cisco certification
> Subject: Re: VPN Overlapping issue
>
> Hi Matusiak,
>
> You mean to say static NAT with 10.2.2.0 --- 172.16.1.1(different
> subnet) ??
> where we need to do ?? on cust1,cust2 or cust3 ?
>
> after applying the static nat (inside, outside). so wat will be the ACL
> entry ??
> can you please describe in brief.
>
> Regards,
> Manoj
>
> On Wed, Oct 7, 2009 at 1:25 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
> > Hi,
> >
> > Is there any NAT along in the path?
> > I think you should perform static NAT on PIX or ASA for all hosts in
> > 10.2.2.0 network. Then CheckPoint will see different IP addresses from
> > one direction and there will be no conflict anymore.
> >
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, SEC)
> >
> >
> > 2009/10/7 manoj prajapati <manoj4784_at_gmail.com>:
> > > Dear Techie,
> > >
> > > Having a doubts in Site to site VPN,
> > >
> > > I have 3 customer, cust1--- cust2 ---- cust3,
> > >
> > > the private ip address is ,
> > > Cust1 ---- 10.2.2.0 (PIX)
> > > Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
> > > Cust3 ---- 10.2.2.0 (ASA)
> > >
> > > connectivity is Cust1 ---- Cust2 ---- Cust3
> > > | | |
> > > 10.2.2.0 10.10.10.0 10.2.2.0
> > >
> > > I want to achive a site to site VPN tunnel between Cust1 -- Cust2 &
> also
> > > Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip
> > > address range. So, when establishing a VPN tunnel in Cust2 with cust2
> to
> > > cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0
> > > series range.
> > >
> > > I know that there is an overlapping network. have seen the cisco site
> as
> > > well
> > >
> > >
> >
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
> > >
> > > But this is somewhat different scenario as i understand.
> > >
> > > Can anyone help me to resolve the issue.
> > > Thanx
> > >
> > > Regards,
> > > Manoj
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 08 2009 - 12:33:29 ART