Site-to-Site VPN NAT question

Unanswered Question
Oct 1st, 2010

I have a setup whereby there is a central ASA, and 2 remote sites.

This is hub and spoke, where there are only VPNs between the central site and remotes, not remote to remote.

The remotes communicate with each other also using "intra-interface".

Because of a subnet overlap between the 2 remotes, I need to NAT the traffic at the central site before the hairpin back out (between remotes).

Is it possible and how would I acheive that (NAT the incoming traffic from a remote VPN, before passing back out the other remote VPN)?

thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 10/01/2010 - 06:16

Since the 2 remote LANs are having the same subnets, you would need to perform the NATing on the remote site, not on the central ASA.

Example:

Site A: 192.168.10.0/24 --> NAT to 192.168.20.0/24

Site B: 192.168.10.0/24 --> NAT to 192.168.30.0/24

On site A:

access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

static (inside,outside) 192.168.20.0 access-list vpn-nat

On site B:

access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

static (inside,outside) 192.168.30.0 access-list vpn-nat

Crypto ACL also needs to be changed to the NATed subnets.

Hope that helps.

Jitendriya Athavale Fri, 10/01/2010 - 06:19

hi if i undersatnd you right this is what you have

head end network: A

remote site 1: B

remote site 2 : B

so the first problem you will encounter is as to how you will diffrentitae site 1 and site 2 for tunnel with A, so i assume  you did it by natting one of the remote networks to C

for example

remote site 1 natted : C

so you have 2 tunnels A-C and A-B

you basically what you are doing is natting enotre B to C before sending it out in the tunnel

this will solve the problem of having tunnel between A-B(C or Site 1) and A-B(site 2)

now to have site 1 and site 2 talk to each other

all you need is same-security permit intra-interface

hope it helps

billybjo1 Fri, 10/01/2010 - 06:48

I'd better explain further.

Head end - Site A  (subnets in range 10.1.0.0)

Remote 1 - Site B (subnets in range 10.2.0.0)

Remote 2 - Site C (subnets in range 10.3.0.0)

It turns out that Site B also has internal subnets of 10.3.0.0.

Site B's 10.3.0.0 don't need to communicate down the VPNs, but Site C has a need to communicate with Site B. Hence it won't route properly if we send Site C down the VPN as 10.3.0.0.

There are potentially others sites coming online with similar problems.

So basically I was trying to establish if it was possible at Site A to NAT Site Cs range before sending onto Site B (communication is always initiated from Site C). When I look in ASDM it asks for the originating interface as part of the NAT parameters. In this case it would be the Outside, but given the traffic is going back out of that interface (albiet down a VPN) I'm just not sure if this is possible.

Sorry not an ideal setup, but I have taken it over and for various reasons we can't have to hub & spoke the VPNs.

Actions

This Discussion