Overlapping Networks and NAT

Unanswered Question
Feb 11th, 2010

I need to connect two RFC1918 networks together, there are no public addresses or VPN involved therefore I want to know the best way to do this.

I have a single ASA appliance and my question is can I acheive this with the single appliance or do I need a second NAT device in order to create a intermediate network that does not overlap with either organisations IP range. Does anyone know of any Cisco documents that explain this bearing in mind there is no Internet or VPN involved.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Fri, 02/12/2010 - 14:38

Hi Paul

How are the two overlapping networks connected ? I presume one of the network is behind your ASA on the LAN side.. where is the other overlapping network placed ? is it over a private WAN ? Would you have internal IP ranges which can be  used to route traffic over the WAN? how many servers do you have on the networks which needs connection to the other overlapping subnet ? For all reasons , you need not worry much on the outbound connections from clients .. those can just be PATed onto the outside interface or any other non-overlapping IPs.. Its the inbound connections to servers & other hosts that matter a lot.. and yes, u can do a static NAT on your firewall, or on any intermediate device, based on your design...

Hope this helps.. all the best..


paultribe Mon, 02/15/2010 - 06:14


Thanks for your reply. What I wanted to know is if two overlapping networks can be connected together with a single ASA appliance as shown in the diagram attached: And if this is possible how would I best do this.

I think as I need to do source and destination NAT I require another NAT device on LAN B as the 3750 does not support NAT. Maybe another ASA or an ISR router.

Please advise.



Panos Kampanakis Fri, 02/12/2010 - 16:52

You can do it with double  nat (nat source and destination) on both ASAs.

                           ip addr:y2


           ip addr:y1


nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x1 destined to x2)

global (outside) 1 interface (that is y1)

nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts y2 destined to y1)

global (inside) 2 interface


nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x2 destined to x1)

global (outside) 1 interface (that is y2)

nat(outside,inside) 2 access-list acl2 outside (acl2 matches hosts y1 destined to y2)

global (inside) 2 interface

I hope it helps.


paultribe Mon, 02/15/2010 - 06:15

Thanks for your reply, please see my post in reply to other forum member for more details

as to what I am trying to acheive.


paultribe Mon, 02/15/2010 - 06:16

Thanks for your reply, please see my post in reply to other forum member for more details

as to what I am trying to acheive.


Panos Kampanakis Mon, 02/15/2010 - 06:32

You can still do source and destination natting on the same ASA as long as you LAN A and LAB can be segmented. I mean they are both in the but they need to be distinguishable the ip addresses in one and the other side.


nat (inside,outside) 1 access-list acl1 (acl1 matches hosts LANA destined to LANB)

global (outside) 1 interface (that is y1)

nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts LANB destined to LANA)

global (inside) 2 interface

So as long ad the traffic can be distinguishable on the ASA, you can do it.


paultribe Mon, 02/15/2010 - 11:55

I am looking at using policy NAT or static (I will test both), so thanks for the URL.

paultribe Mon, 02/15/2010 - 09:57

I have attached a more detailed diagram of what I think you are suggesting using policy NAT.

Basically, what I want is a host on LAN A ( to communicate with a host on LAN B ( bi-directionally using SNMP. Does this look right to you ?

I noticed later the route statements in my diagram are incomplete (no next hop), they should be:

route inside

route outside



Kureli Sankar Mon, 02/15/2010 - 12:46


If you address the source and destination on each interface you will see the issue with policy nat.

Let us talk about inside to outside (initiated from the inside)

Outbound request

source IP:

Destination IP :

The same request on the outside will look like:

Source IP: ( will be translated to the interface IP correct?)

Dest IP:

Now, since your source on the inside is hiding behind a PAT pool ( how would the host on the outside initiate traffic to the host on the inside ?

You can try to do (write down what the IP will look like on each interface) the same thing for the inbound traffic as well which will be initiated from the outside.

This will not work.

Static NAT or Policy Static will work. Test it out and let us know.


paultribe Wed, 02/17/2010 - 02:51


Does this look correct to you. See the attached diagram.



Kureli Sankar Wed, 02/17/2010 - 06:35

Here is what I would do:

static (inside,outisde) net

static (outisde,inside) net

access-list outbound permit udp host ho

access-g outbound in int inside

access-list inbound per udp ho ho

access-g inbound int int outside

Add routes on the layer 3 interfaces on both sides

ISR router -- ip route

3750 switch - ip route

This should work. Again, we need to add the lines in and see what the logs say if it breaks.


paultribe Thu, 04/01/2010 - 07:37

Sorry I took so long to reply. Because of costs I canned the ASA idea as what I wanted do (Which was not depicted), was add in additional cutomers which had even more overlapping networks therefore in the end I decided on using an ISR with VRF's VRF aware NAT and ZBFW which was much more cost effective. However, thanks for your input it was much appreciated and useful as I was getting completely mixed up with the NAT configuratio (A weak point of mine).


This Discussion