https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857343#M157154 <P>Hi Kyle,</P> <P></P> <P><G class="gr_ gr_90 gr-alert gr_gramm gr_run_anim Punctuation multiReplace" id="90" data-gr-id="90">In that case</G> we need to make changes on both the ends.</P> <P></P> <P>The document shared in my first post holds good for this scenario.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Fri, 01 Jul 2016 14:37:04 GMT Aditya Ganjoo 2016-07-01T14:37:04Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857338#M157149 <P>I am running into a situation where I have duplicate subnets (10.1.1.0/24) with an internal network and an external vendor. The external vendor is coming across our PIX Firewall. Would it make sense to create a NAT statement on the outside interface for the 10.1.1.0/24 network traffic coming into our network and NAT it to a different subnet?</P> <P>Would I be able to do the following:</P> <P>static (outside,inside) 10.1.1.0 10.2.2.0 netmask 255.255.255.0</P> <P>Also, do I need to add any static routing statements to the core switch below this pix to point it to the NAT network?</P> <P>Thanks,</P> Tue, 12 Mar 2019 07:58:32 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857338#M157149 Kyle Smith 2019-03-12T07:58:32Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857339#M157150 <P>Hi Kyle,</P> <P></P> <P>Is the external vendor coming over a VPN tunnel ?</P> <P></P> <P>If yes <G class="gr_ gr_56 gr-alert gr_gramm gr_run_anim Grammar only-del replaceWithoutSep" id="56" data-gr-id="56">the you</G> can NAT the traffic and make the changes in the crypto ACL as well.</P> <P></P> <P>Here is an example:</P> <P></P> <P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html</P> <P></P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> <P></P> <P></P> Fri, 01 Jul 2016 00:02:30 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857339#M157150 Aditya Ganjoo 2016-07-01T00:02:30Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857340#M157151 <P>Aditya,</P> <P></P> <P>Thank you for your reply.&nbsp;</P> <P></P> <P>Yes, they are coming across a VPN tunnel.&nbsp;So these changes need to be made on both ends? Only reason I ask is Im unsure if the external side will be willing or able to do this.</P> Fri, 01 Jul 2016 10:36:48 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857340#M157151 Kyle Smith 2016-07-01T10:36:48Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857341#M157152 <P>Hi,</P> <P></P> <P>It depends on the version of both the ASA's. If you have ASA version pre 8.3 then you need to do NAT changes on both the devices.</P> <P></P> <P>If it is post 8.2 then you can do a twice NAT on the ASA for the VPN traffic like this:</P> <P></P> <P>https://supportforums.cisco.com/document/51491/asa-bi-directional-overlapping-nat-example-configuration</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Fri, 01 Jul 2016 12:43:10 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857341#M157152 Aditya Ganjoo 2016-07-01T12:43:10Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857342#M157153 <P>This happens to be a PIX. Dont know if that changes anything.&nbsp;</P> <P></P> <P>Since my network doesnt need to access the external vendor would it make the most sense for the vendor to NAT their network before coming across the tunnel and then I modify all my object groups/ACL's to reflect the new IP range I am seeing (10.2.2.0/24)?</P> Fri, 01 Jul 2016 14:07:59 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857342#M157153 Kyle Smith 2016-07-01T14:07:59Z https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857343#M157154 <P>Hi Kyle,</P> <P></P> <P><G class="gr_ gr_90 gr-alert gr_gramm gr_run_anim Punctuation multiReplace" id="90" data-gr-id="90">In that case</G> we need to make changes on both the ends.</P> <P></P> <P>The document shared in my first post holds good for this scenario.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Fri, 01 Jul 2016 14:37:04 GMT https://community.cisco.com/t5/network-security/nat-for-overlapping-subnets/m-p/2857343#M157154 Aditya Ganjoo 2016-07-01T14:37:04Z