cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3583
Views
5
Helpful
14
Replies

Overlapping Networks and NAT

paultribe
Level 1
Level 1

I need to connect two 10.0.0.0/8 RFC1918 networks together, there are no public addresses or VPN involved therefore I want to know the best way to do this.

I have a single ASA appliance and my question is can I acheive this with the single appliance or do I need a second NAT device in order to create a intermediate network that does not overlap with either organisations IP range. Does anyone know of any Cisco documents that explain this bearing in mind there is no Internet or VPN involved.

Paul

14 Replies 14

sachinraja
Level 9
Level 9

Hi Paul

How are the two overlapping networks connected ? I presume one of the 10.0.0.0/8 network is behind your ASA on the LAN side.. where is the other overlapping network placed ? is it over a private WAN ? Would you have internal IP ranges which can be  used to route traffic over the WAN? how many servers do you have on the 10.0.0.0/8 networks which needs connection to the other overlapping subnet ? For all reasons , you need not worry much on the outbound connections from clients .. those can just be PATed onto the outside interface or any other non-overlapping IPs.. Its the inbound connections to servers & other hosts that matter a lot.. and yes, u can do a static NAT on your firewall, or on any intermediate device, based on your design...

Hope this helps.. all the best..

Raj

Hi

Thanks for your reply. What I wanted to know is if two overlapping networks can be connected together with a single ASA appliance as shown in the diagram attached: And if this is possible how would I best do this.

I think as I need to do source and destination NAT I require another NAT device on LAN B as the 3750 does not support NAT. Maybe another ASA or an ISR router.

Please advise.

DIAGRAM DELETED AS INCORRECT.

Paul

Panos Kampanakis
Cisco Employee
Cisco Employee

You can do it with double  nat (nat source and destination) on both ASAs.

                           ip addr:y2

x1-----ASA1------------ASA2----x2

           ip addr:y1

ASA1:

nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x1 destined to x2)

global (outside) 1 interface (that is y1)

nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts y2 destined to y1)

global (inside) 2 interface

ASA2:

nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x2 destined to x1)

global (outside) 1 interface (that is y2)

nat(outside,inside) 2 access-list acl2 outside (acl2 matches hosts y1 destined to y2)

global (inside) 2 interface

I hope it helps.

PK

This is what you are looking for right?

Nice diagram and example as to how to do it.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1082664

-KS

Thanks for your reply, please see my post in reply to other forum member for more details

as to what I am trying to acheive.

Paul

Thanks for your reply, please see my post in reply to other forum member for more details

as to what I am trying to acheive.

Paul

You can still do source and destination natting on the same ASA as long as you LAN A and LAB can be segmented. I mean they are both in the 10.0.0.0/8 but they need to be distinguishable the ip addresses in one and the other side.

ASA:

nat (inside,outside) 1 access-list acl1 (acl1 matches hosts LANA destined to LANB)

global (outside) 1 interface (that is y1)

nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts LANB destined to LANA)

global (inside) 2 interface

So as long ad the traffic can be distinguishable on the ASA, you can do it.

PK

Paul,

Yes you can certainly use the single ASA to do this.

Pls. follow this link that I posted earlier.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1082664

You would have to do STATIC source and destination translation. The link above will help.

-KS

I am looking at using policy NAT or static (I will test both), so thanks for the URL.

I have attached a more detailed diagram of what I think you are suggesting using policy NAT.

Basically, what I want is a host on LAN A (10.12.17.78) to communicate with a host on LAN B (10.1.4.252) bi-directionally using SNMP. Does this look right to you ?

I noticed later the route statements in my diagram are incomplete (no next hop), they should be:

route inside 10.1.4.252 255.255.255.255 10.1.4.254

route outside 10.12.17.78 255.255.255.255 10.12.255.9

DIAGRAM DELETED AS INCORRECT.

Paul

Kureli Sankar
Cisco Employee
Cisco Employee

Paul,

If you address the source and destination on each interface you will see the issue with policy nat.

Let us talk about inside to outside (initiated from the inside)

Outbound request

source IP: 10.1.4.252

Destination IP : 10.12.17.78

The same request on the outside will look like:

Source IP: 10.12.255.8 (10.1.4.252 will be translated to the interface IP correct?)

Dest IP: 10.12.17.78

Now, since your source on the inside 10.1.4.252 is hiding behind a PAT pool (10.12.17.78) how would the host on the outside initiate traffic to the host on the inside ?

You can try to do (write down what the IP will look like on each interface) the same thing for the inbound traffic as well which will be initiated from the outside.

This will not work.

Static NAT or Policy Static will work. Test it out and let us know.

-KS

Hi

Does this look correct to you. See the attached diagram.

DIAGRAM DELETED AS INCORRECT.

Paul

Kureli Sankar
Cisco Employee
Cisco Employee

Here is what I would do:

static (inside,outisde) 192.168.4.252 10.1.4.252 net 255.255.255.255

static (outisde,inside) 192.168.17.78 10.12.17.18 net 255.255.255.255

access-list outbound permit udp host 10.1.4.252 ho 192.167.17.78

access-g outbound in int inside

access-list inbound per udp ho 10.12.17.78 ho 192.168.4.252

access-g inbound int int outside

Add routes on the layer 3 interfaces on both sides

ISR router -- ip route 192.168.4.252 255.255.255.255 10.12.255.8

3750 switch - ip route 192.168.17.78 255.255.255.255 10.1.99.2

This should work. Again, we need to add the lines in and see what the logs say if it breaks.

-KS

Sorry I took so long to reply. Because of costs I canned the ASA idea as what I wanted do (Which was not depicted), was add in additional cutomers which had even more overlapping networks therefore in the end I decided on using an ISR with VRF's VRF aware NAT and ZBFW which was much more cost effective. However, thanks for your input it was much appreciated and useful as I was getting completely mixed up with the NAT configuratio (A weak point of mine).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: