Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
3
Replies

Source NAT Configuration

Go to solution
pootboy69
Level 1
Level 1

‎09-09-2010 02:30 PM

I need to set up a vpn tunnel to a remote site.  Both our location and the remote location use the 10.x.y.z address scheme.  The remote end offered up a 172.16.6.0/27 net for a destination network.  How do I configure the ASA5510 on my side to create the tunnel as if it were coming from the 172.16.6.0/27 network?  Our subnets are 10.10.20.0/24, 10.10.30.0/24, and 10.2.1.0/24.  I already have a network object group containing these networks.  I've created many vpn's in the past, but this is the first time I've had to contend with destination subnets that overlap ours.  Thanx!

Regards,

Wolf

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to pootboy69

‎09-10-2010 10:27 AM

You have to NAT on both ends the reason being...


Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

If you establish the tunnel between both sites it will come up.

But, when Site A 10.1.1.x tries to talk to 10.1.1.y on the other side, it will think the traffic should stay locally and not send it through the tunnel.

If you only NAT for example on Site A, so Site A will be translated to 10.2.2.0/24

Then, still Site A will originate a packet destined to 10.1.1.y to get to the other side of the tunnel and the same thing will happen.

This is why you should NAT on both ends.

Federico.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-09-2010 10:15 PM

If both sides overlap, you can NAT the subnet on both sides.

You translate one side to subnet A and the other side to subnet B, so the communication is establish between subnets A and B.

The easiest way to do this is to translate the source address (this means the NAT is done on the source VPN device, not on the terminating device).

In other words, if your ASA needs to see the remote overlapping 10.x.x.x as 172.16.x.x, it's better that you NAT on the other end.

Federico.

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-10-2010 06:48 AM

Thanx, Federico!  Since this tunnel will be bi-directional, It looks like I'll have to nat at both ends, correct?

Regards,

Wolf

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to pootboy69

‎09-10-2010 10:27 AM

You have to NAT on both ends the reason being...


Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

If you establish the tunnel between both sites it will come up.

But, when Site A 10.1.1.x tries to talk to 10.1.1.y on the other side, it will think the traffic should stay locally and not send it through the tunnel.

If you only NAT for example on Site A, so Site A will be translated to 10.2.2.0/24

Then, still Site A will originate a packet destined to 10.1.1.y to get to the other side of the tunnel and the same thing will happen.

This is why you should NAT on both ends.

Federico.

0 Helpful
Customers Also Viewed These Support Documents