12-27-2012 01:45 PM - edited 03-11-2019 05:41 PM
I've got an ASA5510 with an IPS/IDS module. Because of a merger, I've got two 10.10.10.x networks (West and Central). I'd like all West traffic to be IPS checked before going into Central. Once it goes into Central, it's out of my hands. Can I set up NAT to accomplish this?
Again, the traffic flow would be from West (10.10.10.1) through the ASA/IPS, and then to Central (10.10.10.1).
Is this possible? If not, do I need another router?
Solved! Go to Solution.
12-27-2012 02:16 PM
I'd imagine both the a router before the ASA (?) and the ASA you have would have to do NAT for their own 10.10.10.0/24 networks
This is because even if you configure NAT for the other network 10.10.10.0/24 it still couldnt try to connect to the other 10.10.10.0/24 network as the hosts still see the network 10.10.10.0/24 as a directly connected network for them. So the remote network should also have their own NAT network instead of the 10.10.10.0/24
- Jouni
12-27-2012 01:52 PM
you can use NAT configuration in overlapping networks. you can follow the link below for more inforamtion regarding the configuration.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml
rate please if it is helpful!
regards,
Labib
12-27-2012 02:00 PM
I should have mentioned this is version 8.4 on a Firewall.
12-27-2012 02:09 PM
I can only comment on personal expirience in dealing with issues of overlapping networks.
When companies have merged with overlapping private network ranges the most common solution has been to change the address ranges on the location with the least changes needed (even though it might be a big change its usually better than configuring something special into your network that might come back to "haunt" you). Certain enviroments where both parties have kept their own firewalls it has also been possible to simply do NAT on both ends and this way avoid any configurations changes on the actual host devices.
Also one common enviroment where this happens is when connecting locations by L2L VPN connections either for third party maintanance connections, data transfers or providing services. Then also, the simplest solutions is to do NAT
- Jouni
12-27-2012 01:54 PM
Hi,
You can't have 2 overlapping networks.
You should either try to change the address range of one the networks or configure NAT for both the the networks on separate devices.
- Jouni
12-27-2012 02:05 PM
Thanks Jouni,
I guess you are saying I need to have West network 10.10.10.x go into a router, which NATs into 172.16.1.x, then into my ASA/IPS. From there I would not need NAT on the ASA to go out to Central network 10.10.10.1, because the ASA would simply route.
Is that correct?
12-27-2012 02:16 PM
I'd imagine both the a router before the ASA (?) and the ASA you have would have to do NAT for their own 10.10.10.0/24 networks
This is because even if you configure NAT for the other network 10.10.10.0/24 it still couldnt try to connect to the other 10.10.10.0/24 network as the hosts still see the network 10.10.10.0/24 as a directly connected network for them. So the remote network should also have their own NAT network instead of the 10.10.10.0/24
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide