Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
4
Replies

Site-to-Site VPN NAT question

billybjo1
Level 3
Level 3

‎10-01-2010 05:46 AM

I have a setup whereby there is a central ASA, and 2 remote sites.

This is hub and spoke, where there are only VPNs between the central site and remotes, not remote to remote.

The remotes communicate with each other also using "intra-interface".

Because of a subnet overlap between the 2 remotes, I need to NAT the traffic at the central site before the hairpin back out (between remotes).

Is it possible and how would I acheive that (NAT the incoming traffic from a remote VPN, before passing back out the other remote VPN)?

thanks.

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 06:16 AM

Since the 2 remote LANs are having the same subnets, you would need to perform the NATing on the remote site, not on the central ASA.

Example:

Site A: 192.168.10.0/24 --> NAT to 192.168.20.0/24

Site B: 192.168.10.0/24 --> NAT to 192.168.30.0/24

On site A:

access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

static (inside,outside) 192.168.20.0 access-list vpn-nat

On site B:

access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

static (inside,outside) 192.168.30.0 access-list vpn-nat

Crypto ACL also needs to be changed to the NATed subnets.

Hope that helps.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-01-2010 06:19 AM

hi if i undersatnd you right this is what you have

head end network: A

remote site 1: B

remote site 2 : B

so the first problem you will encounter is as to how you will diffrentitae site 1 and site 2 for tunnel with A, so i assume  you did it by natting one of the remote networks to C

for example

remote site 1 natted : C

so you have 2 tunnels A-C and A-B

you basically what you are doing is natting enotre B to C before sending it out in the tunnel

this will solve the problem of having tunnel between A-B(C or Site 1) and A-B(site 2)

now to have site 1 and site 2 talk to each other

all you need is same-security permit intra-interface

hope it helps

0 Helpful

billybjo1
Level 3
Level 3
In response to Jitendriya Athavale

‎10-01-2010 06:48 AM

I'd better explain further.

Head end - Site A  (subnets in range 10.1.0.0)

Remote 1 - Site B (subnets in range 10.2.0.0)

Remote 2 - Site C (subnets in range 10.3.0.0)

It turns out that Site B also has internal subnets of 10.3.0.0.

Site B's 10.3.0.0 don't need to communicate down the VPNs, but Site C has a need to communicate with Site B. Hence it won't route properly if we send Site C down the VPN as 10.3.0.0.

There are potentially others sites coming online with similar problems.

So basically I was trying to establish if it was possible at Site A to NAT Site Cs range before sending onto Site B (communication is always initiated from Site C). When I look in ASDM it asks for the originating interface as part of the NAT parameters. In this case it would be the Outside, but given the traffic is going back out of that interface (albiet down a VPN) I'm just not sure if this is possible.

Sorry not an ideal setup, but I have taken it over and for various reasons we can't have to hub & spoke the VPNs.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Jitendriya Athavale

‎10-01-2010 07:02 AM

sorry forgot to mention u need to nat site 2 to something like D too

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents