Cisco ASA Overlapping Networks

Let’s imagine this scenario: we are in charge of company “Popravak Inc” and need to establish some kind of connection to company “Vidovic Ltd”. Both sides are using Cisco ASA for Internet connectivity. But there is a catch: both company’s resources that need to be accessible to each other are located in the same subnet. This is known as “Overlapping Networks”. Let’s take a look at the diagram:

In this scenario routers R1 and R2 act as PCs or servers that need to communicate with each other. But when R1 tries to connect to R2 it is unable to do so, because if it did try it would connect to itself. Same goes when R2 tries to connect to R1.

So, how do we solve this problem? This is the idea: both sides should agree on two networks that are to be used for this purpose. These networks are going to be used as NATed networks. “Popravak Inc” will use 20.0.2.1 to connect to R2, and “Vidovic Ltd” will use 20.0.1.1 to connect to R1.

Here is the traffic flow:

1. R1 telnets to 20.0.2.1. So, source IP is 10.0.1.1 and destination is 20.0.2.1
2. The packet is routed to ASA1
3. On ASA1 we have “static (inside,outside) 20.0.1.0 10.0.1.0 netmask 255.255.255.0“, so now source IP gets translated to
20.0.1.1 and destination IP remains 20.0.2.1. This packet gets routed to ASA2
4. This packet gets to ASA2. On ASA2 we have “static (inside,outside) 20.0.2.0 10.0.1.0 netmask 255.255.255.0“. Now the
destination IP address gets changed from 20.0.2.1 to 10.0.1.1.
5. ASA2 sends this pcaket to R2’s IP address 10.0.1.1.

Here is the telnet session example:

R1#
R1#telnet 20.0.2.1
Trying 20.0.2.1 ... Open

User Access Verification

Password:
R2>en
Password:
R2#
R2#who
Line User Host(s) Idle Location
0 con 0 idle 00:57:49
* 98 vty 0 idle 00:00:00 20.0.1.1

Interface User Mode Idle Peer Address

R2#exit

[Connection to 20.0.2.1 closed by foreign host]
R1#

Same goes for traffic from R2 to R1.

Access lists on both ASAs are letting only ICMP and Telnet traffic for the sake of this demo.

Now, the configs:

ASA1
!
hostname ASA1
domain-name popravak.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.com
access-list O_I extended permit tcp 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0 eq telnet
access-list O_I extended permit icmp 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0
pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 4.2.2.11-4.2.2.20
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 20.0.1.0 10.0.1.0 netmask 255.255.255.0
access-group O_I in interface outside
route outside 0.0.0.0 0.0.0.0 4.2.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
end

ASA2
!
hostname ASA2
domain-name vidovic.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.2.2.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name vidovic.com
access-list O_I extended permit tcp 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0 eq telnet
access-list O_I extended permit icmp 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 4.2.2.21-4.2.2.30 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 20.0.2.0 10.0.1.0 netmask 255.255.255.0
access-group O_I in interface outside
route outside 0.0.0.0 0.0.0.0 4.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
end

At the end of this article we came to an realization that sending clear traffic over the Internet is a bad idea, so in the next article we are going to modify this example by wrapping the communication into the IPSec VPN.

So, stay with me 🙂

Advertisements
This entry was posted in ASA, Cisco, NAT and tagged , , , . Bookmark the permalink.

One Response to Cisco ASA Overlapping Networks

  1. Pingback: Cisco ASA Overlapping Networks – VPN | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s