IP address overlap

Unanswered Question
May 25th, 2010

We are configuring a remote site with an ASA 5580 at each site.  Our IP segment for the server [which they are to have access to] uses the same segment for other services within their organization.  Our server is one of the core servers which our physicians access remotely to read cases.  Our segment is also used with all of the remote sites which we are communicating with. I want to be able to NAT for this particular server only for this site-to-site VPN tunnel and not for the entire network segment.I want to perform this without breaking our segment.

Please advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 05/25/2010 - 13:29

Hi,

In order to NAT just specific traffic through one tunnel, you should use Policy NAT.

Let us know if you can share more details to help you out.

Federico.

gmmassey25 Tue, 05/25/2010 - 13:38

then i would require 2 commands in order to make this work, such as; access-list policy-nat extended permit ip (inside IP) 255.255.255.0 x.x.x.x (remote IP) 255.255.255.0

then static (inside,outside) remote IP address access-list policy-nat

what else do you require as far as information?

Federico Coto F... Tue, 05/25/2010 - 13:45

Actually that's what you need.

Since the ASA has an order in the NAT checking, make sure there's no NAT exemption or static NATs for those IPs, so that the Policy NAT will work.

Federico.

gmmassey25 Tue, 05/25/2010 - 14:14

there is a nat exemption for outbound traffic on this particular interface.

hdashnau Tue, 05/25/2010 - 14:33

The nat exemption in the outbound direction won't matter unless it specifically overlaps.

For example say your L2L is between 192.168.1.0 (local) and 192.168.2.0 (remote)....

Policy NAT:

access-list policynat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 1 access-list policynat

global (outside) 1 4.4.4.4

Nat exemption that would break this policy NAT

access-list nonat permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list nonat

*destination is any so that matches our remote 192.168.2.0 255.255.255.0 and would take priority because its nat exemption

Nat exemption which would have no effect on this traffic:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list nonat

*destination is 192.168.3.0 so that does not match our remote 192.168.2.0 255.255.255.0 and this nat exemption would have no effect on our policy nat

Hope this helps clear things up,

-heather

hdashnau Tue, 05/25/2010 - 16:12

P.S. If I have answered your question please mark the post as resolved  and rate the responses. This helps us more easily identify which  questions remain unanswered and let us know how we are doing. Thanks in  advance!

gmmassey25 Wed, 05/26/2010 - 09:48

I have run into the same problem with another site and am trying to have them test a tunnel while utilizing the nat policy commands.

I will let you know what actually worked as soon as I can get the second company to commit to establishing a tunnel.

Actions

This Discussion