Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
1
Replies

NAT issues with overlapping subnets - ASA 8.2

Nathan Farrar
Level 1
Level 1

‎09-08-2015 04:43 AM - edited ‎03-11-2019 11:34 PM

I'm having some trouble sorting out an issue. It seems to be a pretty straight forward overlapping subnet issue but I can't seem to get it to work properly.

 

At site A I have the 10.0.0.0/24 network. This network needs to be able to communicate with site B on it's 10.20.30.0/24 network through an ASA. Fine so far.. The issue is that at site B there is a 10.0.0.0/24 network so return traffic will get routed incorrectly.

 

I figured it would be easier to configure site A to NAT the addresses prior to going over the tunnel but I don't have access to site A. I only have access to the ASA between site A and site B.

 

It's obvious that I need to NAT the entire range of addresses.

 

I'll create a static route at site B to point back to the ASA (since it isn't attached directly to the ASA, it's behind another router in the network) and I'll use a NAT space of 192.168.100.0/24 for that route. What is the proper flow of commands to get this to work? I want to receive the 10.0.0.0/24 network via the VPN and then NAT the addresses to 192.168.100.0/24 which will route over to site B. Return traffic will come back into the ASA from 192.168.100.0/24 and get NAT'd back to the 10.0.0.0/24 network on the same address that it was NAT'd from to begin with. 

 

I've tried a couple of different configurations based on what I found in Cisco and online but I can't seem to get it to work. I was able to get it to work where the NAT was working incoming (10.0.0.0/24 -> 192.168.100.0/24) but not in the reverse direction.

Does this look right?

 

access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.20.30.0 255.255.255.0

static (inside,outside) 192.168.100.0 access-list policy-nat

 

But what about the return traffic? Will this take care of that automatically? Is the (inside,outside) correct or would it be (outside,inside).

 

Thanks for your thoughts.

 

I've used the following links for research:

http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Labels:
0 Helpful
1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎09-09-2015 01:01 PM

Hi,

Yes , this should take care of the return traffic also.

Did you make the required changed to the Crypto ACL as well ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card