Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please clarify a VPN issue read in this forum?

Status
Not open for further replies.
BobMCT

BobMCT

IS-IT--Management
Sep 11, 2000
756
US
I recently read something that would effect how I would continue to build my multiple VPN's. Hopefully someone can clarify my understanding?

When I setup a new VPN tunnel it requires FOUR different IP's.
The remote private subnet, the remote public IP, the local public IP and the local private subnet.

An typical example would be:

Remote private subnet: 10.10.101.0
Remote public IP: 123.45.67.89
Local public IP: 201.201.123.456
Local private subnet: 10.10.100.0

This seems to work even though some times some of the remotes have trouble reaching some of the local hosts on the local private subnet.

I read on this forum that ALL the remote local IP's can be the same on different VPN tunnels IF the IP is not nat'ed.

I interpret that to mean that I could use this scheme:

Remote private subnet: 10.10.100.101
Remote public IP: 123.45.67.89
Local public IP: 201.201.123.456
Local private subnet: 10.10.100.0

Which would eliminate any routing issues between the remote and local LAN's

My local VPN endpoint is an ASA5510.

Can someone PLEASE clarify this and explain how one would go about accomplishing this?

BTW - would this apply as well to a pool of VPN tunnels available to off-site remote users?

Thanks all. I appreciate your responses.



 
Sort by date Sort by votes
In routers, I have always made the vpn pool on the same subnet, and excluded them from the NAT acl. In an ASA, I am not sure---it should be on a different subnet, but I have found it easier to do it my way.
I can post a router config, and perhaps you can translate into the ASA?

Burt
 
Upvote 0 Downvote
Hi burtsbees;

If you don't mind I'd like to see your sample config as the IOS commands seem to be similar. Nothing like examples to learn.

Thanks.
 
Upvote 0 Downvote
___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/
Edge>en
Password:
Edge#sh run
Building configuration...

Current configuration : 5059 bytes
!
! Last configuration change at 17:01:14 CST Fri Apr 4 2008 by xxxxxxxxxxxxxx
! NVRAM config last updated at 17:01:16 CST Fri Apr 4 2008 by xxxxxxxxxxxxxx
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
!
hostname Edge
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 4096 debugging
logging console errors
enable secret 5 $1$6AV8$GbOo/ZqToB9aGBqn8TGOj/
!
aaa new-model
!
!
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
!
aaa session-id common
!
resource policy
!
clock timezone cst -6
clock summer-time CST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name xxxxxxxxxxxxxxxxxx
ip host Athens 172.16.1.2
ip host Argos 172.16.5.1
ip host Sparta 172.16.3.1
ip host Corinth 172.16.3.1
ip host switch 10.69.69.66
ip ddns update method sdm_ddns1
HTTP
add interval maximum 0 8 0 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxx privilege 15 secret 5 $1$j1lK$2muDeSOGBBX748WPwlsT21
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxxxxx
key xxxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
!
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no snmp trap link-status
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
no ip address
no ip redirects
ip accounting output-packets
ip mtu 1492
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.69.69.1 255.255.255.0
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.68.68.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.67.67.1 255.255.255.0
!
interface Serial0/1
ip address 10.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip virtual-reassembly
ip route-cache flow
no fair-queue
!
interface Dialer0
ip ddns update hostname xxxxxxxxxxxx
ip ddns update sdm_ddns1 host xxxxxxxxxxxxxx
ip address negotiated
no ip redirects
ip accounting output-packets
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
!
ip local pool vpn_pool_1 10.68.68.69 10.68.68.70
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.0.0 255.255.0.0 10.1.1.1
!
ip flow-top-talkers
top 100
sort-by bytes
cache-timeout 60000
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map vpn_routemap_1 interface Dialer0 overload
!
logging dmvpn
logging history warnings
logging trap debugging
logging source-interface Dialer0
logging server-arp
logging 10.69.69.2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip any 10.68.68.68 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip any any
access-list 102 remark prevent_RFC1918_as_source
dialer-list 1 protocol ip permit
!
!
!
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
control-plane
!
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
alias configure pc int fa0/0
!
line con 0
password 7 xxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxx
transport input ssh
!
ntp clock-period 17180371
ntp server 64.113.32.5 source Dialer0
!
end

Burt
 
Upvote 0 Downvote
Thank you burtsbees.
Now time to do some studying....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
599
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
439
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
395
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
350
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
410
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top