Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

overlapping lan segments S2S tunnels (the other end)

Is there any way to policy nat incoming vpn S2S tunnel traffic?  I know we can policy nat out going to send traffic over a tunnel as something else...

e.g.

my firewall

LAN segment 192.168.10.0/24

1st external firewall with s2s tunnel #1 back to my firewall

LAN 10.10.10.0/24

2nd external firewall with s2s tunnel #2 back to my firewall

LAN 10.10.10.0/24

if no changes can be made to the 1st and 2nd external firewall meaning we cannot get to at leat

one of them so they policy nat out as another subnet....is there any thing we can do

on the "my firewall" ? (any incoming nat policy options or routes over the tunnel peer ip or something or the other???)

and this would be cisco asa's, all three at least.

thank you!

  • VPN
Everyone's tags (5)
3 REPLIES

Re: overlapping lan segments S2S tunnels (the other end)

Hi there

.

Yes, there is a way you can do, it is policy base static-nat, please see the attached Cisco document in the reply.

I hope that helps.

Thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

New Member

overlapping lan segments S2S tunnels (the other end)

hi, i looked at the document and thank you for responding!  my scenario would be a little bit different though wherein we have another pix say "pix-C" which in the pdf would also be using 10.1.0.0/24

we couldn't make a 2nd policy nat for pix-C.  we couldnt have a 2nd source and destination ACL used for a 2nd policy map as the pix A would not know which access-list to use...

i know another option is public ip to public ip's for the site to site but that isnt always an option.

---

So going by the pdf you attached what if there was also a pix-C that is also using 10.1.0.0/24 and we cannot make configuration changes on pix-B or pix-C just only on pix-A  ...is there anyway we can have the two site to sites A to B and A to C even though B and C both have 10.1.0.0/24 ?

Re: overlapping lan segments S2S tunnels (the other end)

"even though B and C both have 10.1.0.0/24 ?"

A policy static-nat must be done from either side "B" or "C" to masquerade as if, it has a different subnet as shown in the document, it is a workable solution.

Thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

438
Views
0
Helpful
3
Replies