Help with NAT for overlapping scopes on IPSec tunnel

Unanswered Question
Apr 27th, 2010
User Badges:

Hello all,

I have an ASA5510 on which I need to setup 2 IPSec tunnels to the same subnet on different networks:



My challenge is that I cannot touch the far end, and neither is willing to setup NAT on their side.  I would like to be able to punch in to get to hosts on CustomerA network, and to get to hosts on CustomerB network. 

So for example when I type in it goes through the IPSec tunnel for customer A and ends up at host

And when I type in it goes through the IPSec tunnel for Customer B and ends up at host

Thank you all in advance for your help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 04/27/2010 - 14:42
User Badges:
  • Green, 3000 points or more


This can be done as you can do NAT for either the inbound or outbound traffic or both.

So, you can manage the NAT rules on your ASA, even if not having access to the other ASAs.

As I understand you have your ASA that will have two VPN tunnels to two customers (both customers are using, correct?

You want to NAT on your ASA, so that you can communicate with both locations... is this correct?


mikegfried Tue, 04/27/2010 - 15:33
User Badges:

Yes this is correct please help!

Thank you!

On Apr 27, 2010, at 6:04 PM, "coto.fusionet"

Federico Coto F... Tue, 04/27/2010 - 16:27
User Badges:
  • Green, 3000 points or more


The problem that I see here is that both remote locations have the

If you NAT the inbound traffic, the ASA has no way to know if the traffic from is coming from Customer A or Customer B.

You can definitely get this working for one customer.

The other option, is if both customers need access to different IPs (on your side), you can differentiate the traffic with inbound Policy NAT.

The question is... both customers require to access the same devices on your side?


mikegfried Tue, 04/27/2010 - 16:32
User Badges:


Yes they both require access to the same IP, but could I mask my internal IP so they each see it as a different IP?

Thank you again for the help!

Federico Coto F... Tue, 04/27/2010 - 16:46
User Badges:
  • Green, 3000 points or more

You can mask your internal IPs to different ranges.

The problem is that the ASA will still receive on the same outside interface traffic from

How will the ASA differentiate which packets are from CustomerA and which from Customer B.

Let's say that your internal network is

So, you can create a NAT rule to translate the internal LAN to when going to customer A and to when going to Customer B.

The problem is that in order to NAT the incoming traffic from the customers, the ASA will receive a range of for both customers. I don't see how the ASA will differentiate one customer from another going to the same destination.

Anyway, this is something I'm going to try to lab it and see if we can make it work (but I don't see how just now).



This Discussion