10-01-2010 05:46 AM
I have a setup whereby there is a central ASA, and 2 remote sites.
This is hub and spoke, where there are only VPNs between the central site and remotes, not remote to remote.
The remotes communicate with each other also using "intra-interface".
Because of a subnet overlap between the 2 remotes, I need to NAT the traffic at the central site before the hairpin back out (between remotes).
Is it possible and how would I acheive that (NAT the incoming traffic from a remote VPN, before passing back out the other remote VPN)?
thanks.
10-01-2010 06:16 AM
Since the 2 remote LANs are having the same subnets, you would need to perform the NATing on the remote site, not on the central ASA.
Example:
Site A: 192.168.10.0/24 --> NAT to 192.168.20.0/24
Site B: 192.168.10.0/24 --> NAT to 192.168.30.0/24
On site A:
access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
static (inside,outside) 192.168.20.0 access-list vpn-nat
On site B:
access-list vpn-nat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
static (inside,outside) 192.168.30.0 access-list vpn-nat
Crypto ACL also needs to be changed to the NATed subnets.
Hope that helps.
10-01-2010 06:19 AM
hi if i undersatnd you right this is what you have
head end network: A
remote site 1: B
remote site 2 : B
so the first problem you will encounter is as to how you will diffrentitae site 1 and site 2 for tunnel with A, so i assume you did it by natting one of the remote networks to C
for example
remote site 1 natted : C
so you have 2 tunnels A-C and A-B
you basically what you are doing is natting enotre B to C before sending it out in the tunnel
this will solve the problem of having tunnel between A-B(C or Site 1) and A-B(site 2)
now to have site 1 and site 2 talk to each other
all you need is same-security permit intra-interface
hope it helps
10-01-2010 06:48 AM
I'd better explain further.
Head end - Site A (subnets in range 10.1.0.0)
Remote 1 - Site B (subnets in range 10.2.0.0)
Remote 2 - Site C (subnets in range 10.3.0.0)
It turns out that Site B also has internal subnets of 10.3.0.0.
Site B's 10.3.0.0 don't need to communicate down the VPNs, but Site C has a need to communicate with Site B. Hence it won't route properly if we send Site C down the VPN as 10.3.0.0.
There are potentially others sites coming online with similar problems.
So basically I was trying to establish if it was possible at Site A to NAT Site Cs range before sending onto Site B (communication is always initiated from Site C). When I look in ASDM it asks for the originating interface as part of the NAT parameters. In this case it would be the Outside, but given the traffic is going back out of that interface (albiet down a VPN) I'm just not sure if this is possible.
Sorry not an ideal setup, but I have taken it over and for various reasons we can't have to hub & spoke the VPNs.
10-01-2010 07:02 AM
sorry forgot to mention u need to nat site 2 to something like D too
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide