04-17-2008 08:05 AM
I am building a site-to-site VPN on my ASA with an organization that is using the same IP space on their LAN. I am thinking about doing static translation for my 10.x.x.x/10 before it hits the VPN tunnel, but I am not realy excited with that solution. Does anyone have any other suggestions? Thank you.
04-17-2008 08:12 AM
Vlad
I sympathise with how you feel about this as NAT is often a last resort but if you are both using the same address space you have 2 choices really
1) Readdress one set of clients
2) NAT one set of clients.
1 is very impractical so that really leaves 2 and unless you can persuade the partner to do the NAT it will have to be done on your firewall.
Jon
04-17-2008 08:36 AM
Jon,
I had that feeling, but I thought maybe there was another way, something magical I can do on the ASA. Thanks for your response.
04-17-2008 09:29 AM
1) Readdress one set of clients
2) NAT one set of clients.
That is not true. If both sides use the same IP addresses, NAT will have
to be done on BOTH sides. For example:
LAN_A: 192.168.1.0/24
LAN_B: 192.168.1.0/24
In this example, you will do something like:
When LAN_A goes to LAN_B, you have to nat the source of LAN_A to
10.0.1.0/24 and the destination of LAN_B to 10.0.2.0/24. When
the traffics get to LAN_B, you keep the source traffics as 10.0.1.0/24
but you have to "de-nat" the destination from "10.0.2.0/24" back to
192.168.1.0/24
When LAN_B goes to LAN_A, you have to nat the source of LAN_B to
10.0.2.0/24 and the destination of LAN_B to 10.0.1.0/24. When
the traffics get to LAN_A, you keep the source traffics as 10.0.2.0/24
but you have to "de-nat" the destination from "10.0.1.0/24" back to
192.168.1.0/24.
ASA can definitely do this. The issue is the complexity you will have
especially when you have other VPN tunnels on the same ASA firewall,
in addition to other NAT/PAT.
CCIE Security
04-17-2008 09:38 AM
David
"If both sides use the same IP addresses, NAT will have
to be done on BOTH sides."
Well that's not strictly correct either. It all depends on whether or not both sides need to initiate connections or it is just one side that needs to initiate connections.
We know the ASA can do this but Vlad was asking if there was any other way.
So next time, before you jump in and tell people they are wrong perhaps you could take a moment to ensure what you are saying is right. We all make mistakes and get things wrong but there are perhaps better ways of expressing it.
Lastly, signing out with CCIE Security does nothing, at least for me, to back up your arguments. There are many CCIE's on these forums and none of them seem to feel the need to express it in the way you do.
Jon
04-17-2008 09:54 AM
David
Feeling a complete idiot as i have now realised that yes you do need to NAT both sides. I mixed it up with having to statically NAT or dynamically NAT depending on whether both sides need to initiate connections or not.
Sincere apologies for the mistake and yes i can see the irony in what i wrote !.
Jon
04-17-2008 05:15 PM
Everyone makes mistake including myself,
many times, I may add.
I remembered the VPN with IP overlap example
from the day I worked with an Managed Security
Service Provider (MSSP) and I had to do this
for a customer. I used Checkpoint on my end
but the customer had Cisco Pix on their end.
It took me about 5 minutes to setup this
scenario on the Checkpoint side. On the
Cisco side, it took the customer about 8
hours because they had so many VPNs and NAT.
They accidentally took down 20 VPN tunnels
on their side because of this double NAT
configuration. For configuration like this,
you need to consider it very carefully because
you will have to support it later.
Last but not least, I used the "CCIE Security"
as a way to poke fun at myself. I am
cisco certified but I spend about 99% of my
time working on Checkpoint product. How
ironic :-(
04-18-2008 04:53 AM
Hi,
My Question is can i NAT the Inside host IP address 172.16.XX.XX to a public IP address. my partner wants to NAT with Public IP, if i don't convince him then we will end routing my server 172.17.X.X to public address through VPN. IS this recommended ? or can we do a double NAT to make sure that we don't route traffic to Public IP directly even through VPN. please suggest me.
04-18-2008 06:50 AM
"My Question is can i NAT the Inside host IP address 172.16.XX.XX to a public IP address. my partner wants to NAT with Public IP,"
Yes, you can.
"server 172.17.X.X to public address through VPN. IS this recommended ? or can we do a double NAT to make sure that we don't route traffic to Public IP directly even through VPN."
You CAN route public IPs over VPN. There are
no restrictions for this. You just have
to find a way that suited best for both of you
and your partner. Last but not least, keep
it simple so that it will be easier to
maintain in the future.
my 2c
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: