Skip to main content

OVERLAPPING SUBNET IPSEC VPN

    This blog provides a networking example that simulates two different companies with the same IP addressing scheme. Two routers are connected with a VPN tunnel, and the networks behind each router are the same. For one site to access hosts at the other site, Network Address Translation (NAT) with route map is used on the routers to change both the source and the destination addresses to different subnets.



TEST RTR CONFIGURATION

IKE PHASE I 

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 5

crypto isakmp key cisco123 address 202.45.144.123


 IKE PHASE II 

crypto ipsec transform-set set-test esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

 set peer 202.45.144.123

 set transform-set set-test

 match address IPSEC-VPN

 reverse-route static

 NAT CONFIG 

ip nat inside source static network 10.112.112.0 172.16.2.0 /24

Note : As our subnet is same in both the end NAT must be performed otherwise not required.

 ACCESS-LIST 

ip access-list extended IPSEC-VPN

 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

MOF RTR CONFIGURATION

IKE PHASE I 

crypto isakmp policy 81

 encr 3des

 hash md5

 authentication pre-share

 group 5

crypto isakmp key cisco123 address 202.166.195.212


IKE PHASE II 

crypto ipsec transform-set set-mof esp-des esp-sha-hmac

crypto map mymap 81 ipsec-isakmp

 set peer 202.166.195.212

 set transform-set set-mof

 match address VPN-MAX

 reverse-route static

ACCESS-LIST 

Extended IP access list VPN-MAX

 10 permit ip 172.16.1.0 0.0.0.255 host 172.16.2.10

NAT 

ip nat inside source static 10.112.112.16 172.16.1.16

NOTE : NAT IS BEING USED AS LOCAL SUBNET ON BOTH THE END IS SAME.

One to One Nat is being currently performed in both the sides for the address to be translated which could bring out issues if we are pairing up with other remote sites as well as in the case of using internet for that particular machine. So, in order to overcome the issue we must be using route map and define a new set of ACL to be called up in the route map

ACCESS-LIST FOR ROUTE MAP
Extended IP access list VPN-SCB-TEST
    10 permit ip 10.112.112.0 0.0.0.255 host 172.16.2.10

172.16.2.10 is the remote NAT'd IP which will be the source IP if the traffic is initiated from the TEST RTR side

ROUTE MAP 
route-map RM-STATIC-NAT permit 10
 match ip address VPN-SCB-TEST


NAT with Route MAP
 
ip nat inside source static 10.112.112.16 172.16.1.16 route-map RM-STATIC-NAT

I have only demonstrated NAT with route map example in one of the sites but route map needs to be placed on both the sides. 
Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more