VPN overlapping network (2600 -> ASA)

Answered Question
May 19th, 2009

All,

I need to set up nat for a new company that we purchased. I'll be bringing the tunnel up from the 2600, and it will be terminating into my ASA 5520. Would I only have to worry about one side of the tunnel to nat?

We route for a 192.168.1.0 network, but the new company is also 192.168.1.0. What I was going to do is to nat all of their vpn traffic to 10.230.1.0/24 out of their router, but would I need to configure the reverse as well on the ASA, or do I just need to worry about my nat exemption statements?

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 05/19/2009 - 10:25

John

You will need to NAT both sides. You can do the NAT one the same device if you want but you still need to NAT both sides.

The reason is -

LAN1 -> ASA <-> 2600 -> LAN2

Lets say you do NAT all LAN2 addresses to 10.230.1.x. Now say a client on LAN2 needs to talk to a client on LAN1. If the client address appears as 10.230.1.x to LAN1 then yes LAN1 could then route the traffic back. But the problem is that the packet never gets to LAN1. The reason being that the client on LAN2 thinks that the client on LAN1 is on the same network ie.

client source IP = 192.168.1.x (before NAT on 2600)

destination source IP = 192.168.1.x

so client believes destination is on the same subnet. Now if you could guarantee that the same 192.168.1.x was not in use at both sites it may work but it's messy and prone to error.

Best thing is to NAT both ends.

If both sides can initiate connections then you will need to use static NAT's at either end. If only one side needs to initiate the connection then you need statics at that site and you can use dynamic NAT/PAT at the other.

Jon

John Blakley Tue, 05/19/2009 - 10:28

Thanks Jon. This will be the first time that I've done this, so it's going to be fun researching it :)

John

John Blakley Tue, 05/19/2009 - 10:48

Jon,

This document shows the nat statement as static. Does the ACL prevent the static nat to always be used? I only want the traffic natted when it has to cross the tunnel. I think that's what the acl in this example is doing, but I wanted to make sure.

Thanks,

John

Jon Marshall Tue, 05/19/2009 - 10:52

John

Sorry, but what do you mean by this "Does the ACL prevent the static nat to always be used?"

As a general answer to your query, you may well need to use Policy NAT on both the ASA and the 2600 to make sure the traffic is only Natted if it is going through the tunnel, it's not clear because i don't know what the rest of the config is on your devices.

Jon

Actions

This Discussion