topic Re: Overlapping Subnet on ASA in Network Security

Overlapping Subnet on ASA

parthrawat979 — Mon, 09 Mar 2026 14:02:51 GMT

Could anyone explain me the packet flow especially with those nat statements and how crypto acl is checked. Chatgpt isn't helping a lot. I do understand how twice nat works from asa1 but un-nat at asa2 is still something I couldn't get. Also how crypto acl is checked during both nat and un-nat.

The ping works from 192.168.1.1(left side lan) to 10.20.20.1(mapped ip of right side lan). But how it actually works the actual flow is still I couldn't grasp.

ASAv1# sh run objec
object network real-lan
subnet 192.168.1.0 255.255.255.0
object network nat-lan
subnet 10.10.10.0 255.255.255.0
object network remote-nat
subnet 10.20.20.0 255.255.255.0
ASAv1# sh run nat
nat (inside,outside) source static real-lan nat-lan destination static remote-nat real-lan
ASAv1# sh run acc
ASAv1# sh run access-lis
ASAv1# sh run access-list
access-list vpn-acl extended permit ip object nat-lan object real-lan

ASAv2# sh run nat
nat (inside,outside) source static real-lan nat-lan destination static remote-nat real-lan
ASAv2# sh run obj
object network real-lan
subnet 192.168.1.0 255.255.255.0
object network nat-lan
subnet 10.20.20.0 255.255.255.0
object network remote-nat
subnet 10.10.10.0 255.255.255.0
ASAv2# sh run acc
ASAv2# sh run access-lis
ASAv2# sh run access-list
access-list vpn-acl extended permit ip object real-lan object remote-nat

Re: Overlapping Subnet on ASA

balaji.bandi — Mon, 09 Mar 2026 15:56:44 GMT

Your diagram does not show any IP related - 10.20.20.1

is the ASA connected using VPN ?

In a general overlap network in VPN

outbound --Ingress ACL --Routing --NAT --Crypto ACL

Inbound - Decryption -- un-nat -- interface acl --Egress

here is the example of official guide :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Re: Overlapping Subnet on ASA

parthrawat979 — Mon, 09 Mar 2026 16:23:17 GMT

Oh yes it's actually a vpn in between both thes ASAs. And I have also configured the way it's given in the guide of cisco which basically uses policy nat(destination isn't natted) but now I want to check it with twice nat where I changed both the source and destination. Could you be a little clearer about this part:

In a general overlap network in VPN

outbound --Ingress ACL --Routing --NAT --Crypto ACL

Inbound - Decryption -- un-nat -- interface acl --Egress
as far as I know the acl is checked first while going inside to outside and un-nat takes place first from outside to inside. (for asa above 8.4(3))

Re: Overlapping Subnet on ASA

balaji.bandi — Tue, 10 Mar 2026 07:46:58 GMT

un-nat takes place first from outside to inside. (for asa above 8.4(3))

How does the packet know it's from a VPN or a normal packet? If the packet comes from a VPN, it needs to be decrypted before it reaches the network, to be clear. (or am I missing something here ?) As per Lina's flow.

Re: Overlapping Subnet on ASA

parthrawat979 — Tue, 10 Mar 2026 08:06:15 GMT

You're right. I got it know. With vpn the ipsec headers are removed first so the crypto acl is checked before unnat (packet going out to in). I actually confused it with interface acl.

Re: Overlapping Subnet on ASA

balaji.bandi — Tue, 10 Mar 2026 11:30:48 GMT

Don't worry, we are all in the learning stage all the time. It's good to know that it was helpful and cleared your doubts.