Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN NAT Overlap subnets remote ASA interface does not reply

Hello all,

Not really a big problem, but not knowing the answer is killing me.  This is what I have:

Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2

Both hosts can reach each other without issues.  Ping, connect, no problem. 

The problem is when one of the hosts trys to reach the inside interface of the remote ASA.  E.g. Host 1 trying to ping ASA5510 inside interface.  Again Host 1 and 2 have the same subnet address of 10.1.1.0/24.  I have configured the ASA 5505 to do the the NAT translations. 

Here is the ASA 5505 config (the parts that matter):

ASA Version 8.2(5)

!

hostname ASA5505

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.102 255.255.255.252

!

access-list vpnACL extended permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPNnat extended permit ip 10.1.1.0 255.255.255.0 10.1.30.0 255.255.255.0

access-list outacl extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.1.20.0  access-list VPNnat

static (outside,inside) 10.1.30.0 10.1.1.0 netmask 255.255.255.0

!

access-group outacl in interface outside

!

route outside 0.0.0.0 0.0.0.0 192.168.100.101 1

!

crypto ipsec transform-set phase2 esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address vpnACL

crypto map outside_map 10 set peer 172.16.14.50

crypto map outside_map 10 set transform-set phase2

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 172.16.14.50 type ipsec-l2l

tunnel-group 172.16.14.50 ipsec-attributes

pre-shared-key *****

Here is the 5510 config:

: Saved

:

ASA Version 8.4(3)

!

hostname ASA5510

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.14.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

object network insidehosts

subnet 10.1.1.0 255.255.255.0

object network Site443

subnet 10.1.20.0 255.255.255.0

!

access-list VPNacl extended permit ip object insidehosts object outsidehosts

access-list outacl extended permit icmp any any

!

nat (inside,outside) source static insidehosts insidehosts destination static Site443 Site443

!

access-group outacl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.14.49 1

!

crypto ipsec ikev1 transform-set phase2p esp-aes esp-sha-hmac

crypto map outside_map 69 match address VPNacl

crypto map outside_map 69 set peer 192.168.100.102

crypto map outside_map 69 set ikev1 transform-set phase2p

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 192.168.100.102 type ipsec-l2l

tunnel-group 192.168.100.102 ipsec-attributes

ikev1 pre-shared-key *****

Again, this configuration works for all hosts on both subnets.  Except when hosts tries to ping the remote ASA's inside interface.

e.g. Host 1@10.1.1.50 pings/telnet to ASA2@10.1.30.1 fails.

Can anyone clue me as to why not? 

Thanks for the time and support,

Nick

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

VPN NAT Overlap subnets remote ASA interface does not reply

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

3 REPLIES
Highlighted
Cisco Employee

VPN NAT Overlap subnets remote ASA interface does not reply

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

New Member

VPN NAT Overlap subnets remote ASA interface does not reply

Thanks Jennifer for the reply.  Is that just an ASA rule?  Or is there more of a technical reason why not?  Because I see using debug icmp trace, the at ASA's receive the ICMP requests.  But the ASA does not reply. 

Again thanks for the reply.

Nick

Cisco Employee

VPN NAT Overlap subnets remote ASA interface does not reply

Yes, you are absolutely correct. It is by design the ASA interface will not get NATed.

980
Views
0
Helpful
3
Replies
CreatePlease to create content