Overlapping IPSec Tunnel between an ASA and Router

Unanswered Question
Nov 12th, 2007
User Badges:

Please help, this is really an emerrgency

I've gone thru 7 cisco techs (escalation team, backbone team, etc., etc,) and no luck.

Network behind ASA 7.2 is

Network behind IOS 1841 is

Packets originating at IOS side and destined to ASA should look to ASA inside hosts as coming from the network.

Packets originating at ASA side and destined to 1841 inside network should be going to the fake network which in turn should go to the real network.

Cisco seems unable to accomplish this for as much as they want to.

The ASA side hasnt been touched, except that has been properly configured for the crypto tunnel and all is well.

The "faking" shuold be done at the 1841 and no matter what they try, it does not work.

The ASA has lots of IPSec tunnels to other networks and one of them includes a, so this is why we can't use this to reach the 1841 side from the ASA.

The closest we've been with cisco is that they were able to ping the networks, (1841 side was successfully pinging 10.21.30.x and ASA side was successfully pinging BUT every time they got it this way, inside hosts in the 1841 network were not able to go out to the internet

Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dradhika Mon, 11/12/2007 - 20:34
User Badges:
  • Cisco Employee,

Have you tried applying NAT on 1841 for the traffic going from inside 1841 to inside of ASA device?



insccisco Mon, 11/12/2007 - 21:15
User Badges:

yes, that is being done. We can NAT anything from to but from there it does not do anything else.

dradhika Tue, 11/13/2007 - 03:56
User Badges:
  • Cisco Employee,

You mean that NAT is working?

When a packet is sent from inside to other end of the tunnel , is there an entry in the translation table?



david.barroso Thu, 11/15/2007 - 05:10
User Badges:

I suggest you to use crypto map to apply the NAT on the cisco router. I have done this without any problem in the past.

ASA's side:

1841's side:


For example:

access-list 120 permit ip

access-list 120 permit ip

ip nat inside source static route-map NAT

route-map NAT permit 50

match ip address 120


insccisco Mon, 11/26/2007 - 07:26
User Badges:

David, I don't understand. Why do yoi have the statement

ip nat inside source static route-map NAT


I need the entire inside network behind the 1841 router ( in your example) to send requests to the fake network ( in your example). This in turn will deliver the packets to the other side of the tunnel ( in your example).

That's is the exact end result that I need: inside network behind the ASA needs to know ONLY about when communicating to the inside network of the 1841 router.

Please help

insccisco Tue, 11/27/2007 - 10:45
User Badges:

I just tried this and it works but the only thing is that it lets me access only one single host at the 1841 side.

So from the ASA side ( I can successfully ping (the fake address). And this is only one way, as I can't ping anything on the ASA side from the 1841 side.

I also tried

ip nat inside source static network /24 no-alias

and it works. This of course does not use any route maps and it also seems to mess up my single IP NAT statement which currently NAT my entire inside network to the single public IP address on the outside interface.

any help?


This Discussion