Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
3
Replies

Nat question

agent2007
Level 1
Level 1

‎09-08-2010 09:10 AM - edited ‎03-04-2019 09:41 AM

Hi

I have 2 offices (primary site and dr site) with an ASA 5505 in each.  From the primary site I have a VPN configured to a third party site.  The 3rd party site also has an ASA 5505.  There is a NAT pool configured on the 3rd party ASA which nats the main sites ip range to 10.94.0.0/24 and then it gets routed to its destination. 

Primary site - 192.168.192.0/22

DR Site - 192.168.10.0/24

Third Party - 10.10.10.0

I want to configure the DR ASA to terminate a VPN to the 3rd party site also but if I try to use the 10.94.0.0/24 NAT pool the ASA will not support it.

So my question, Do I have to configure a different NAT pool for this to work or is there some piece of magic I can do to utilise the existing nat pool.

the reason the nat pool has to be there is becuase the to access the services on that site the source address must be from the 10.94 pool.

hope that makes sense

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-08-2010 07:47 PM

Hi,

I'm sorry but I don't think that I understand your question.

You have a problem with NAT because it will overlap?

To get around overlapping you can use VRF-aware IPsec.

If you provide a sample drawing or explain a little bit more clearly, we can help you out.

Federico.

0 Helpful

agent2007
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-08-2010 11:54 PM

You can not assign a nat pool to different encryption domains

The Main site is being natted to ip pool in the 3rd party site

the dr site can not be natted as the nat pool cant be assigned to more than one subnet

I have asked the 3rd party provider for another subnet that I can use to nat the dr site to but they wont give me one so I need to figure out a way around this.

I'm not sure there is one.

vrf-aware ipsec sounds interesting.  would you mind telling me a bit more about it?

Many thanks

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to agent2007

‎09-09-2010 07:29 AM

VRF is a way to have more than one routing table on the router independent from each other.

So, it allows overlapping addresses on different VRF tables.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card