VPNs on ASA going to same destination networks using NAT

Unanswered Question
Jul 17th, 2007

I haven't been able to get into the lab to test this yet but was wondering if someone here had a quick answer.

The situation is a customer needs to use an ASA device to set up two L2L vpns. The problem is that at each remote end they have an overlapping address that the ASA side needs to connect to. It's not possible for the remote sides to either NAT this address or change it. I know I can set up outside to inside NAT in this situation, but I've never tried it with two overlapping addresses on the remote end. Or if someone else has a better solution, please let me know.

If you need more clarification, please let me know.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mattiaseriksson Tue, 07/17/2007 - 05:20

I don't think it is possible. The problem is that you would need to NAT between the ASA and the remote endpoints before it hits the box, because the order of operation from outside to inside is IPSec first, then NAT.

At least in PIX and IOS this would be impossible, but I am not so familiar with the ASA so I could be wrong.

If the remote networks were overlapping it would not be any problem though.


This Discussion