ASA 5510 7.0 Need to tunnel to two different sites with same LAN subnet

Unanswered Question
Feb 23rd, 2010

We have an ASA5510 that

connects to the internet with a static IP address

and connects to our LAN with a static  IP  address.

We allow client connections on tunnel group First   type ipsec-ra

group-policy First internal

ip local pool First 192.168.120.2-192.168.120.200

nat (inside) 0 access-list inside_nat0_inbound

nat(inside) 0 0.0.0.0 0.0.0.0

We also have several peer-to-peer tunnels

tunnel-group nnn.nnn.nnn.nnn type ipsec-121

and these are working.

Now I have two other remote offices who have both built their LANs  on subnet

192.168.1.0/24.  I need to build peer-to-peer tunnels to both of these locations.

Is there a way to nat the addresses of the two locations individually as they enter the ASA5510

from the internet

Thanks for your help,  Pam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
busterswt Tue, 02/23/2010 - 20:09

Hi Pam,

I don't know of any way to NAT the traffic as it enters the 5510, but if the remote branches are ASA's or PIX's then you can implement Policy NAT on those devices to achieve what you're looking for. The documentation for the PIX can be found here, under 'Configuring Policy NAT'. The ASA would be similar, if not the same...

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113601

It is possible, through static NAT trickery, to do what you want on the 5510 *so long as* there are no overlapping IPs between the overlapping subnets. I wouldn't recommend this though as it can likely get confusing pretty quickly. I would look into the Policy NAT if at all possible.

James

Actions

This Discussion