SITE TO SITE VPN CONFIGURATION BETWEEN AWS VPC AND CISCO ASA (9.1) WITH SUBNET OVERLAPPING

Site to Site VPN Configuration Between AWS VPC and Cisco ASA (9.1) with subnet overlapping

 

Overview -:

IP subnet overlapping is a very common issue while creating a VPN tunnel with a business partner who is already using same IP address space on the network side. And sometimes, it is very difficult to change the subnet because those IP are being used in production servers farm. If you are facing such incident and looking a solution, please check the below post. This article describes how to build a site-to-site IPsec VPN connection between two networks where IP subnets are being overlapped subnets. 

Note: Subnet overlapping issue only occurs when the IP address/subnet range in two networks are partially or completely the same. VPN traffic between sites with overlapping addresses requires IP address translation (Source Network Address Translation (NAT-src) and Destination Network Address Translation (NAT-dst) in both directions. This is because the source address on outbound traffic, cannot be the same as the destination address on inbound traffic. 

 

  1. Objective-:  Site to Site VPN tunnel needs to create between AWS VPC VPN and Cisco ASA Firewall (9.1) with subnet overlapping.  
  2. Problem Scenario -:  AWS Site subnet is being overlapped with location-A. Since, location-A subnet – 172.16.0.0/16 is being used in their LAN.
  3. Challenges -:  AWS VPC have limitations of configuring Policy-based nating. So, policy-based nat (Source Network Address Translation (NAT-src) and Destination Network Address Translation (NAT-dst) can only be configured on ASA side.

 

How to configure Policy based nat for source and destination on ASA (9.1)

Original Subnet -:

  • AWS VPN Subnet – 172.16.17.0/24
  • Location-A VPN subnet – 172.16.5.0/24  – (172.16.0.0/16 is being used at Location-A LAN)  

Encryption domain -:

  • AWS Side Encryption domain -: 172.16.17.29/32 , 172.16.17.55/32
  • Location-A Side Encryption domain -: 172.16.5.3/32 , 172.16.5.10/32 , 172.16.5.10/32 , 172.16.5.16/32


Source NAT Translation-:

172.16.5.3  <-> 192.168.254.3
172.16.5.10 <-> 192.168.254.10
172.16.5.36 <-> 192.168.254.36
172.16.5.16 <-> 192.168.254.16

Destination NAT Translation-:

172.16.17.29 <-> 192.168.253.29
172.16.17.55 <-> 192.168.253.55           

 

How to configure Policy based nat for source and destination on ASA (9.1)

  • Create network object for Location-A as mentioned below -:
object network IP-172.16.5.3
host 172.16.5.3

object network IP-172.16.5.10
host 172.16.5.10

object network IP-172.16.5.36
host 172.16.5.36

object network IP-172.16.5.16
host 172.16.5.16
  • Create network object for Source NAT IP for Location-A
object network NATIP-for-172.16.5.3
host 192.168.254.3

object network NATIP-for-172.16.5.10
host 192.168.254.10

object network NATIP-for-172.16.5.36
host 192.168.254.36

object network NATIP-for-172.16.5.16
host 192.168.254.16
  • Create network object for AWS subnet
object network obj-AWS-subnet
subnet 172.16.17.0  255.255.255.0
  • Create network object for AWS IP
object network AWS-IP-172.16.17.29
host 172.16.17.29

object network AWS-IP-172.16.17.55
host 172.16.17.55
  • Create network object for Destination NAT IP for AWS
object network NATIP-AWS-172.16.17.29
host 192.168.253.29

object network NATIP-AWS-172.16.17.55
host 192.168.253.55
  • Configure Source Policy based static NAT for location-A IP
nat (Inside,Outside) source static IP-172.16.5.3 NATIP-for-172.16.5.3 destination static NATIP-AWS-172.16.17.29 AWS-IP-172.16.17.29
nat (Inside,Outside) source static IP-172.16.5.3 NATIP-for-172.16.5.3 destination static NATIP-AWS-172.16.17.55 AWS-IP-172.16.17.55
nat (Inside,Outside) source static IP-172.16.5.10 NATIP-for-172.16.5.10 destination static NATIP-AWS-172.16.17.29 AWS-IP-172.16.17.29
nat (Inside,Outside) source static IP-172.16.5.10 NATIP-for-172.16.5.10 destination static NATIP-AWS-172.16.17.55 AWS-IP-172.16.17.55
nat (Inside,Outside) source static IP-172.16.5.36 NATIP-for-172.16.5.36 destination static NATIP-AWS-172.16.17.29 AWS-IP-172.16.17.29
nat (Inside,Outside) source static IP-172.16.5.36 NATIP-for-172.16.5.36 destination static NATIP-AWS-172.16.17.55 AWS-IP-172.16.17.55
nat (Inside,Outside) source static IP-172.16.5.16 NATIP-for-172.16.5.16 destination static NATIP-AWS-172.16.17.29 AWS-IP-172.16.17.29
nat (Inside,Outside) source static IP-172.16.5.16 NATIP-for-172.16.5.16 destination static NATIP-AWS-172.16.17.55 AWS-IP-172.16.17.55
  • Configure Destination policy based static NAT for AWS IP
nat (outside,inside) source static AWS-IP-172.16.17.29  NATIP-AWS-172.16.17.29  destination static obj-AWS-subnet obj-AWS-subnet 
nat (outside,inside) source static AWS-IP-172.16.17.55  NATIP-AWS-172.16.17.55  destination static obj-AWS-subnet obj-AWS-subnet
  • Access-list acl-test extended permit ip any object obj-AWS-subnet
access-list acl-test extended permit ip any object obj-AWS-subnet
  • Configure Crypto MAP for VPN
crypto map VPN-MAP 4 match address acl-test
crypto map VPN-MAP 4 set pfs group2
crypto map VPN-MAP 4 set peer 1.1.1.1
crypto map VPN-MAP 4 set ikev1 transform-set test
crypto map VPN-MAP 4 set security-association lifetime seconds 3600
  • Configure Tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key ***************
isakmp keepalive threshold 10 retry 3

 

Tag -:  VPN Subnet Overlapping , Site to site vpn configuration , IPsec vpn

Author: Ronnie

Leave a Reply