02-11-2010 11:23 PM - edited 03-11-2019 10:08 AM
I need to connect two 10.0.0.0/8 RFC1918 networks together, there are no public addresses or VPN involved therefore I want to know the best way to do this.
I have a single ASA appliance and my question is can I acheive this with the single appliance or do I need a second NAT device in order to create a intermediate network that does not overlap with either organisations IP range. Does anyone know of any Cisco documents that explain this bearing in mind there is no Internet or VPN involved.
Paul
02-12-2010 02:38 PM
Hi Paul
How are the two overlapping networks connected ? I presume one of the 10.0.0.0/8 network is behind your ASA on the LAN side.. where is the other overlapping network placed ? is it over a private WAN ? Would you have internal IP ranges which can be used to route traffic over the WAN? how many servers do you have on the 10.0.0.0/8 networks which needs connection to the other overlapping subnet ? For all reasons , you need not worry much on the outbound connections from clients .. those can just be PATed onto the outside interface or any other non-overlapping IPs.. Its the inbound connections to servers & other hosts that matter a lot.. and yes, u can do a static NAT on your firewall, or on any intermediate device, based on your design...
Hope this helps.. all the best..
Raj
02-15-2010 06:14 AM
Hi
Thanks for your reply. What I wanted to know is if two overlapping networks can be connected together with a single ASA appliance as shown in the diagram attached: And if this is possible how would I best do this.
I think as I need to do source and destination NAT I require another NAT device on LAN B as the 3750 does not support NAT. Maybe another ASA or an ISR router.
Please advise.
DIAGRAM DELETED AS INCORRECT.
Paul
02-12-2010 04:52 PM
You can do it with double nat (nat source and destination) on both ASAs.
ip addr:y2
x1-----ASA1------------ASA2----x2
ip addr:y1
ASA1:
nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x1 destined to x2)
global (outside) 1 interface (that is y1)
nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts y2 destined to y1)
global (inside) 2 interface
ASA2:
nat (inside,outside) 1 access-list acl1 (acl1 matches hosts x2 destined to x1)
global (outside) 1 interface (that is y2)
nat(outside,inside) 2 access-list acl2 outside (acl2 matches hosts y1 destined to y2)
global (inside) 2 interface
I hope it helps.
PK
02-12-2010 05:41 PM
This is what you are looking for right?
Nice diagram and example as to how to do it.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1082664
-KS
02-15-2010 06:15 AM
Thanks for your reply, please see my post in reply to other forum member for more details
as to what I am trying to acheive.
Paul
02-15-2010 06:16 AM
Thanks for your reply, please see my post in reply to other forum member for more details
as to what I am trying to acheive.
Paul
02-15-2010 06:32 AM
You can still do source and destination natting on the same ASA as long as you LAN A and LAB can be segmented. I mean they are both in the 10.0.0.0/8 but they need to be distinguishable the ip addresses in one and the other side.
ASA:
nat (inside,outside) 1 access-list acl1 (acl1 matches hosts LANA destined to LANB)
global (outside) 1 interface (that is y1)
nat(outside,inside) 2 access-list acl2 outside (acl 2 matches hosts LANB destined to LANA)
global (inside) 2 interface
So as long ad the traffic can be distinguishable on the ASA, you can do it.
PK
02-15-2010 07:52 AM
Paul,
Yes you can certainly use the single ASA to do this.
Pls. follow this link that I posted earlier.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1082664
You would have to do STATIC source and destination translation. The link above will help.
-KS
02-15-2010 11:55 AM
I am looking at using policy NAT or static (I will test both), so thanks for the URL.
02-15-2010 09:57 AM
I have attached a more detailed diagram of what I think you are suggesting using policy NAT.
Basically, what I want is a host on LAN A (10.12.17.78) to communicate with a host on LAN B (10.1.4.252) bi-directionally using SNMP. Does this look right to you ?
I noticed later the route statements in my diagram are incomplete (no next hop), they should be:
route inside 10.1.4.252 255.255.255.255 10.1.4.254
route outside 10.12.17.78 255.255.255.255 10.12.255.9
DIAGRAM DELETED AS INCORRECT.
Paul
02-15-2010 12:46 PM
Paul,
If you address the source and destination on each interface you will see the issue with policy nat.
Let us talk about inside to outside (initiated from the inside)
Outbound request
source IP: 10.1.4.252
Destination IP : 10.12.17.78
The same request on the outside will look like:
Source IP: 10.12.255.8 (10.1.4.252 will be translated to the interface IP correct?)
Dest IP: 10.12.17.78
Now, since your source on the inside 10.1.4.252 is hiding behind a PAT pool (10.12.17.78) how would the host on the outside initiate traffic to the host on the inside ?
You can try to do (write down what the IP will look like on each interface) the same thing for the inbound traffic as well which will be initiated from the outside.
This will not work.
Static NAT or Policy Static will work. Test it out and let us know.
-KS
02-17-2010 02:51 AM
Hi
Does this look correct to you. See the attached diagram.
DIAGRAM DELETED AS INCORRECT.
Paul
02-17-2010 06:35 AM
Here is what I would do:
static (inside,outisde) 192.168.4.252 10.1.4.252 net 255.255.255.255
static (outisde,inside) 192.168.17.78 10.12.17.18 net 255.255.255.255
access-list outbound permit udp host 10.1.4.252 ho 192.167.17.78
access-g outbound in int inside
access-list inbound per udp ho 10.12.17.78 ho 192.168.4.252
access-g inbound int int outside
Add routes on the layer 3 interfaces on both sides
ISR router -- ip route 192.168.4.252 255.255.255.255 10.12.255.8
3750 switch - ip route 192.168.17.78 255.255.255.255 10.1.99.2
This should work. Again, we need to add the lines in and see what the logs say if it breaks.
-KS
04-01-2010 07:37 AM
Sorry I took so long to reply. Because of costs I canned the ASA idea as what I wanted do (Which was not depicted), was add in additional cutomers which had even more overlapping networks therefore in the end I decided on using an ISR with VRF's VRF aware NAT and ZBFW which was much more cost effective. However, thanks for your input it was much appreciated and useful as I was getting completely mixed up with the NAT configuratio (A weak point of mine).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide