I'm having some trouble sorting out an issue. It seems to be a pretty straight forward overlapping subnet issue but I can't seem to get it to work properly.
At site A I have the 10.0.0.0/24 network. This network needs to be able to communicate with site B on it's 10.20.30.0/24 network through an ASA. Fine so far.. The issue is that at site B there is a 10.0.0.0/24 network so return traffic will get routed incorrectly.
I figured it would be easier to configure site A to NAT the addresses prior to going over the tunnel but I don't have access to site A. I only have access to the ASA between site A and site B.
It's obvious that I need to NAT the entire range of addresses.
I'll create a static route at site B to point back to the ASA (since it isn't attached directly to the ASA, it's behind another router in the network) and I'll use a NAT space of 192.168.100.0/24 for that route. What is the proper flow of commands to get this to work? I want to receive the 10.0.0.0/24 network via the VPN and then NAT the addresses to 192.168.100.0/24 which will route over to site B. Return traffic will come back into the ASA from 192.168.100.0/24 and get NAT'd back to the 10.0.0.0/24 network on the same address that it was NAT'd from to begin with.
I've tried a couple of different configurations based on what I found in Cisco and online but I can't seem to get it to work. I was able to get it to work where the NAT was working incoming (10.0.0.0/24 -> 192.168.100.0/24) but not in the reverse direction.
Does this look right?
access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.20.30.0 255.255.255.0
static (inside,outside) 192.168.100.0 access-list policy-nat
But what about the return traffic? Will this take care of that automatically? Is the (inside,outside) correct or would it be (outside,inside).
Thanks for your thoughts.
I've used the following links for research:
http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html