Screen OS

Hi,

I have the following issue:

ASA cluster ----- Internet ----- SSG140 (single)

10.10.0.0/16---------------------- 10.10.10.0/24

Route based VPN is configured, both sides SA is up and running, debug shows traffic goes into the tunnel, policy is hit, but no response from the asa's.

I have to configure the proxy id's in the SSG else the SA does not turn active.

If the acl on the cisco side is changed to (ex) 10.10.20.0/24 to 10.10.10.0/24 these proxy-ids are accepted and a policy based vpn works fine.

However then the acl on the cisco side is change to 10.10.0.0/16 to 10.10.10.0/24 - the advertised proxy ids are the remote ip adresses from both asa and ssg

ssg is running 6.2.0.5r0, asa are running 7.2.2

Any suggestions to fix/troubleshoot this?

Thanks

Paul

Hi Paul,

You have overlapping IP addressing because the network behind the SSG is a part of the bigger network behind the ASA. You should configure NAT, both src- and dst-NAT, on the tunnel interface of the SSG. This new NAT-network should be used in Cisco's ACL and SSG' Proxy ID. If there are hosts behind the ASA that are also addressed with  the 10.10.10.x-th IPs and should be reachable through the VPN, a NAT for 10.10.10.0/24 should be also configured on the ASA 😞

A detailed description of a similar case can be found in ScreenOS C&E under the title  "VPN Sites with Overlapping Addresses".

Hi Edouard, thanks for the reply. However, the C-class behind the SSG is not behind the ASA. 

Fixed it bij upgrading the SSG to 6.3.0r7, which allows for multiple proxy-id's in the vpn config. Weird part is the ASA advertising both the b-class/c-class and both the external addresses as proxy-id's. 

I guess this is due to the overlapping network, since the c-class is part of the b-class.

Anyhow, it works 🙂

Thanks

Paul