How to Configure User Authentication with Overlapping Networks

In virtual routing, you can configure multiple virtual routers with overlapping IP and overlapping users. In the example, VRG, and VRB are the virtual routers with overlapping IP - 192.168.1.1/24. The users on two different domains are also on overlapping network IP 192.168.1.20. For VRG and VRB users to access the shared server 172.16.10.X, leak routes to the global virtual router. Use source NAT to handle the overlapping IP. For controlling the access from VRG and VRB users, you must set user authentication in management center. Management Center uses realms, Active Directories, Identity source, and Identity rules and policies for authenticating user identity. Because threat defense does not have direct role in authenticating users, user access is managed only through the access control policy. For controlling traffic from the overlapping users, use Identity policy and rules to create access control policy.

Before you begin

This example assumes that you have:

Two AD servers for the VRG and VRB users.
ISE with the two AD servers added.

Procedure

Step 1	Configure the inside interface of the device for VRG: Choose Devices > Device Management > Interfaces. Edit the interfaces that you want to assign to VRG: Name—For this example, VRG-inside. Select the Enabled checkbox. In IPV4, for IP Type, choose Use Static IP. IP Address—Enter 192.168.1.1/24. Click Ok. Click Save.
Step 2	Configure the inside interface of the device for VRB: Choose Devices > Device Management > Interfaces. Edit the interfaces that you want to assign to VRB: Name—For this example, VRB-inside. Select the Enabled checkbox. In IPV4, for IP Type, choose Use Static IP. IP Address—Leave it blank. The system doesn’t allow you to configure interfaces with same IP address, as you’re yet to create user-defined virtual routers. Click Ok. Click Save.
Step 3	Configure VRG and the static default route leak to the inside interface of the Global router for the VRG users to access the common server 172.16.10.1: Choose Devices > Device Management, and edit the threat defense device. Choose Routing > Manage Virtual Routers. Click Add Virtual Router and create VRG. For VRG, in Virtual Router Properties, assign VRG-inside and save. Click Static Route. Click Add Route. In Add Static Route Configuration, specify the following: Interface—Select the inside interface of the global router. Network—Select the any-ipv4 object. Gateway—Leave it blank. When leaking a route into another virtual router, do not select a gateway. Click Ok. Click Save.
Step 4	Configure VRB and the static default route leak to the inside interface of the Global router for the VRB users to access the shared server 172.16.10.x: Choose Devices > Device Management, and edit the threat defense device. Choose Routing > Manage Virtual Routers. Click Add Virtual Router and create VRB. For VRB, in Virtual Router Properties, assign VRB-inside and save. Click Static Route. Click Add Route. In Add Static Route Configuration, specify the following: Interface—Select the inside interface of the global router. Network—Select the any-ipv4 object. Gateway—Leave it blank. When leaking a route into another virtual router, do not select a gateway. Click Ok. Click Save.
Step 5	Revisit the VRB-inside interface configuration: Choose Devices > Device Management > Interfaces. Click Edit against VRB-inside interface. Specify the IP Address as 192.168.1.1/24. The system now allows you to configure with the same IP address as that of VRG-inside, because the interfaces are seperately assigned to two different virtual routers. Click Ok. Click Save.
Step 6	Add NAT rules for the source objects VRG and VRB. Click Devices > NAT.
Step 7	Click New Policy > Threat Defense NAT.
Step 8	Enter a NAT policy name, and select the threat defense device. Click Save.
Step 9	In the NAT page, click Add Rule and define the following source NAT for VRG: NAT Rule—Select Manual NAT Rule. Type—Select Static. Insert—Select Above, if any NAT rule exists. Click Enabled. In Interface Objects, select VRG-Inside object and click Add to Source (If the object is not available, create one in Object > Object Management > Interface), and select Global-Inside object and click Add to Destination. In Translation, select the following: Original Source, select VRG-Users. Translated Source, click Add and define object, VRG-NAT with 10.1.1.1. Select VRG-NAT as shown in the following figure:
Step 10	Click Ok.
Step 11	In the NAT page, click Add Rule and define the following source NAT for VRB: NAT Rule—Select Manual NAT Rule. Type—Select Static. Insert—Select Above, if any NAT rule exists. Click Enabled. In Interface Objects, select VRB-Inside object and click Add to Source (If the object is not available, create one in Object > Object Management > Interface), and select Global-Inside object and click Add to Destination. In Translation, select the following: Original Source, select VRB-Users. Translated Source, click Add and define object, VRB-NAT with 20.1.1.1. Select VRB-NAT as shown in the following figure:
Step 12	Click Save. The NAT rule looks like this:
Step 13	Add the two unique AD servers in management center one for each VRG and VRB users—choose System > Integration > Realms.
Step 14	Click New Realm and complete the fields. For detailed information on the fields, see Realm Fields.
Step 15	For controlling the access from VRG and VRB users, define 2 Active Directories, see Realm Directory and Synchronize fieldssee Create an LDAP Realm or an Active Directory Realm and Realm Directory
Step 16	Add ISE in management center—choose System > Integration > Identity Sources.
Step 17	Click Identity Services Engine and complete the fields. For detailed information on the fields, see How to Configure ISE/ISE-PIC for User Control Using a Realm.
Step 18	Create Identity policy, rules, and then define access control policy for controlling access of overlapping users from VRG and VRB.