cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
417
Views
0
Helpful
5
Replies

VPN overlapping network (2600 -> ASA)

John Blakley
VIP Alumni
VIP Alumni

All,

I need to set up nat for a new company that we purchased. I'll be bringing the tunnel up from the 2600, and it will be terminating into my ASA 5520. Would I only have to worry about one side of the tunnel to nat?

We route for a 192.168.1.0 network, but the new company is also 192.168.1.0. What I was going to do is to nat all of their vpn traffic to 10.230.1.0/24 out of their router, but would I need to configure the reverse as well on the ASA, or do I just need to worry about my nat exemption statements?

Thanks,

John

HTH, John *** Please rate all useful posts ***
1 Accepted Solution
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

John

You will need to NAT both sides. You can do the NAT one the same device if you want but you still need to NAT both sides.

The reason is -

LAN1 -> ASA <-> 2600 -> LAN2

Lets say you do NAT all LAN2 addresses to 10.230.1.x. Now say a client on LAN2 needs to talk to a client on LAN1. If the client address appears as 10.230.1.x to LAN1 then yes LAN1 could then route the traffic back. But the problem is that the packet never gets to LAN1. The reason being that the client on LAN2 thinks that the client on LAN1 is on the same network ie.

client source IP = 192.168.1.x (before NAT on 2600)

destination source IP = 192.168.1.x

so client believes destination is on the same subnet. Now if you could guarantee that the same 192.168.1.x was not in use at both sites it may work but it's messy and prone to error.

Best thing is to NAT both ends.

If both sides can initiate connections then you will need to use static NAT's at either end. If only one side needs to initiate the connection then you need statics at that site and you can use dynamic NAT/PAT at the other.

Jon

Thanks Jon. This will be the first time that I've done this, so it's going to be fun researching it :)

John

HTH, John *** Please rate all useful posts ***

Jon,

This document shows the nat statement as static. Does the ACL prevent the static nat to always be used? I only want the traffic natted when it has to cross the tunnel. I think that's what the acl in this example is doing, but I wanted to make sure.

Thanks,

John

HTH, John *** Please rate all useful posts ***

John

Sorry, but what do you mean by this "Does the ACL prevent the static nat to always be used?"

As a general answer to your query, you may well need to use Policy NAT on both the ASA and the 2600 to make sure the traffic is only Natted if it is going through the tunnel, it's not clear because i don't know what the rest of the config is on your devices.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: