Help with NAT for overlapping scopes on IPSec tunnel

Unanswered Question
Apr 27th, 2010

Hello all,

I have an ASA5510 on which I need to setup 2 IPSec tunnels to the same subnet on different networks:

CustomerA: 172.16.0.0/16

CustomerB: 172.16.0.0/16

My challenge is that I cannot touch the far end, and neither is willing to setup NAT on their side.  I would like to be able to punch in 10.10.0.0 to get to hosts on CustomerA network, and 10.20.0.0 to get to hosts on CustomerB network. 

So for example when I type in 10.10.0.1 it goes through the IPSec tunnel for customer A and ends up at host 172.16.0.1

And when I type in 10.20.0.1 it goes through the IPSec tunnel for Customer B and ends up at host 172.16.0.1

Thank you all in advance for your help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 04/27/2010 - 14:42

Hi,

This can be done as you can do NAT for either the inbound or outbound traffic or both.

So, you can manage the NAT rules on your ASA, even if not having access to the other ASAs.

As I understand you have your ASA that will have two VPN tunnels to two customers (both customers are using 172.16.0.0/16), correct?

You want to NAT on your ASA, so that you can communicate with both locations... is this correct?

Federico.

mikegfried Tue, 04/27/2010 - 15:33

Yes this is correct please help!

Thank you!

On Apr 27, 2010, at 6:04 PM, "coto.fusionet"

Federico Coto F... Tue, 04/27/2010 - 16:27

Mike,

The problem that I see here is that both remote locations have the 172.16.0.0/16

If you NAT the inbound traffic, the ASA has no way to know if the traffic from 172.16.0.0/16 is coming from Customer A or Customer B.

You can definitely get this working for one customer.

The other option, is if both customers need access to different IPs (on your side), you can differentiate the traffic with inbound Policy NAT.

The question is... both customers require to access the same devices on your side?

Federico.

mikegfried Tue, 04/27/2010 - 16:32

Hello,

Yes they both require access to the same IP, but could I mask my internal IP so they each see it as a different IP?

Thank you again for the help!

Federico Coto F... Tue, 04/27/2010 - 16:46

You can mask your internal IPs to different ranges.

The problem is that the ASA will still receive on the same outside interface traffic from 172.16.0.0/16

How will the ASA differentiate which packets are from CustomerA and which from Customer B.

Let's say that your internal network is 192.168.1.0/24

So, you can create a NAT rule to translate the internal LAN to 10.10.10.0/24 when going to customer A and to 10.20.20.20/24 when going to Customer B.

The problem is that in order to NAT the incoming traffic from the customers, the ASA will receive a range of 172.16.0.0/16 for both customers. I don't see how the ASA will differentiate one customer from another going to the same destination.

Anyway, this is something I'm going to try to lab it and see if we can make it work (but I don't see how just now).

Federico.

Actions

This Discussion

Related Content