https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4014816#M23079 <P>I have come across a conflict situation. And given the limitation that we cannot apply an NAT to remote environment.</P><P>&nbsp;</P><P>Tunnel 1</P><P>Local Firewall IP : x.x.x.x</P><P>Peer Firewall IP : y.y.y.y</P><P>Local Subnet : 10.252.100.0/24</P><P>Remote Subnet : 192.168.100.0/24</P><P>&nbsp;</P><P>Tunnel 2</P><P>Local Firewall IP : x.x.x.x</P><P>Peer Firewall IP : z.z.z.z</P><P>Local Subnet : 10.252.100.0/24</P><P>Remote Subnet : 192.168.100.0/24</P><P>&nbsp;</P><P>Please advise how can this be solved using ASA5515 firewalls.</P><P>&nbsp;</P> Mon, 20 Jan 2020 18:26:29 GMT ahin.shaw 2020-01-20T18:26:29Z https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4014816#M23079 <P>I have come across a conflict situation. And given the limitation that we cannot apply an NAT to remote environment.</P><P>&nbsp;</P><P>Tunnel 1</P><P>Local Firewall IP : x.x.x.x</P><P>Peer Firewall IP : y.y.y.y</P><P>Local Subnet : 10.252.100.0/24</P><P>Remote Subnet : 192.168.100.0/24</P><P>&nbsp;</P><P>Tunnel 2</P><P>Local Firewall IP : x.x.x.x</P><P>Peer Firewall IP : z.z.z.z</P><P>Local Subnet : 10.252.100.0/24</P><P>Remote Subnet : 192.168.100.0/24</P><P>&nbsp;</P><P>Please advise how can this be solved using ASA5515 firewalls.</P><P>&nbsp;</P> Mon, 20 Jan 2020 18:26:29 GMT https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4014816#M23079 ahin.shaw 2020-01-20T18:26:29Z https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4014849#M23080 <P>You have to NAT somewhere to mitigate the Same subnet in the environment.</P> <P>&nbsp;</P> <P>what device remote end ?</P> <P>&nbsp;</P> Mon, 20 Jan 2020 19:42:42 GMT https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4014849#M23080 balaji.bandi 2020-01-20T19:42:42Z https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015321#M23081 <P>Palo Alto</P><P>&nbsp;</P><P>I am okay with doing NAT at our end (Cisco ASA). We cannot do NAT at remote ends.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank You.</P> Tue, 21 Jan 2020 14:01:47 GMT https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015321#M23081 ahin.shaw 2020-01-21T14:01:47Z https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015407#M23082 <P>yes you can mitigate with differege IP address one of the site to NAT at your end.</P> <P>&nbsp;</P> <P>make sure they allow your New IP address far end ACL.</P> <P>&nbsp;</P> Tue, 21 Jan 2020 15:21:27 GMT https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015407#M23082 balaji.bandi 2020-01-21T15:21:27Z https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015667#M23083 <P>The solution is brief that I realized after Balaji's comment and looking at the packet flow of Cisco ASA.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html</A></P><P>&nbsp;</P><P>ASA performs XLATE functionality which can act as Pseudo address for destination, similarly i have to NAT my source to different address. So following this when a route for tunnel is established it knows the forward (Pseudo Address) and reverse path (NATed Source).</P><P>&nbsp;</P><P>I don't have environment to test but definitely feel it will working knowing ASA creates policy based tunnel.&nbsp;</P><P>Original thought was identifying solution for such cases using PA, Checkpoint, ASA and Fortigate.</P> Tue, 21 Jan 2020 21:02:06 GMT https://community.cisco.com/t5/network-security/how-can-we-implement-2-tunnels-same-source-firewall-different/m-p/4015667#M23083 ahin.shaw 2020-01-21T21:02:06Z