Over-lapping internal ip address - SITE-TO-SITE VPN

Unanswered Question
Jul 8th, 2010
User Badges:

I'm trying to setup a Site-to-site tunnel between a ASA and Checkpoing NGX R62. Their internal host's IP overlaps with our internal IP range.  Unfortunately they're not offering to NAT on their side.  Is it possible on the ASA to setup a NAT so that my internal hosts get nated to the outside ip of the ASA. <---> ASA <-- Internet --> NGX R62 <--

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Thu, 07/08/2010 - 15:53
User Badges:
  • Cisco Employee,


There is no problem not do do nat exemption, which you normally do in case of typical NAT ... you know that nat 0 access-list statments :-)

Remember that NAT is done before encryption - so you will need to change access-list in crypto too.

One thing you did not mention is:

How do I solve routing? Ie. Traffic from your PC of wants to go to on the other side of the tunnel... I believe you will also need to NAT their subnet (even if it's identity NAT)

anuj.johri Thu, 07/08/2010 - 20:34
User Badges:

HI Marcin,

This is what i have... wondering if this correct.

Re: ASA conf

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer ( peer ip address)

crypto map outside_map 1 set transform-set ESP-3DES-SHA1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2

tunnel-group 2.2..2.2 type ipsec-l2l
tunnel-group ipsec-attributes

access-list  outside_1_cryptomap extended permit ip host (our external ip address) host ( ASA Internal ip address)

!--- NAT ACL

access-list policy-nat permit ip host  host

!-- Translations

static (outside,inside) netmask 0 0

static (inside,outside) access-list policy-nat

Pls chk this config and let me know....

Customer doesn't want to do any Natting on their end.

I'm also getting an error message when i do show crypto ipsec sa " There are no ipsec sas"

Pls advise

Marcin Latosiewicz Fri, 07/09/2010 - 03:14
User Badges:
  • Cisco Employee,


Let me reply like this.

Both sides need to have consitent access-list matching what traffic is interesting for encrypion so I would say the ACL should be:

(assuming you want to PAT all traffic)

permit ip h

ie. we want all traffic from our IP address of to go to which is the pool on the other side (also as seen by othe other side).

Regarding NAT it will looks like this.

nat (inside) 101

global (outside) 101 (the IP address of interface/ so you will need most likely "interface" keyword)

Now we need to take care of us being able to communicate to external subnet.

You will need to mask if for internal users sooo you can do something like

static (outside,inside) net

This way your users will think that they are communicating with subnet.

Now, I have not tested this, theory goes it can work (considering xlate lookup is done before routing) I cannot provide guarentee because as I understand it was never meant to work like that :-)

It's not a very nice configuration AND SHOULD BE AVOIDED and this used instead:

or use IPv6!


anuj.johri Fri, 07/09/2010 - 07:17
User Badges:

Hi Marcin,

Thanks for the quick response... I will use the website to create the tunnel. I had a question with regard to the config on the site.

global (outside) 1
nat (inside) 1 0 0

!--- The above statements will PAT the internet traffic
!--- except the VPN traffic using the IP address where is this IP coming from? Shouldn't it be This is part of the PIX A config.

Marcin Latosiewicz Fri, 07/09/2010 - 08:33
User Badges:
  • Cisco Employee,


Please be aware that this config is for both sides doing NAT at the same time - unlike scneario you mention intially, unless the other side changed their opinion? indeed seems fishy, the IP address does not belong anywhere.

Like in case of PIX-B I'm pretty sure it should have been "interface".


anuj.johri Fri, 07/09/2010 - 11:12
User Badges:

I will talk to them and see what they say.

On another note... am i getting this error msg b/c tunnel is down "there are no ipsec sas"

Marcin Latosiewicz Fri, 07/09/2010 - 12:44
User Badges:
  • Cisco Employee,


That's not an error message. It's just an indication that Phase 2 was not established fully.


anuj.johri Mon, 07/12/2010 - 14:13
User Badges:

Thanks Marcin

I will give this a try... I'm still waiting for the customer to call me back 

anuj.johri Wed, 07/21/2010 - 08:39
User Badges:

Hey Marcin,

Finally the customer got back to me...

I"m trying to set up the tunnel using the

PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example


but I had a quick question

Correct me if i'm wrong but isn't this incorrect access-list

access-list policy-nat extended permit ip

static (inside,outside)  access-list policy-nat

Shouldn't it be

access-list policy-nat extended permit ip

static (inside,outside)  access-list policy-nat

VPN traffic and translates the source ( to !--- for outbound VPN traffic

Pls advise.


This Discussion