Solved: Re: Can I connect two 10.10.10.x networks using NAT on an ASA551

jimmyc_2 · ‎12-27-2012

I've got an ASA5510 with an IPS/IDS module. Because of a merger, I've got two 10.10.10.x networks (West and Central). I'd like all West traffic to be IPS checked before going into Central. Once it goes into Central, it's out of my hands. Can I set up NAT to accomplish this?

Again, the traffic flow would be from West (10.10.10.1) through the ASA/IPS, and then to Central (10.10.10.1).

Is this possible? If not, do I need another router?

Jouni Forss · ‎12-27-2012

I'd imagine both the a router before the ASA (?) and the ASA you have would have to do NAT for their own 10.10.10.0/24 networks

This is because even if you configure NAT for the other network 10.10.10.0/24 it still couldnt try to connect to the other 10.10.10.0/24 network as the hosts still see the network 10.10.10.0/24 as a directly connected network for them. So the remote network should also have their own NAT network instead of the 10.10.10.0/24

- Jouni

View solution in original post

hanyawad · ‎12-27-2012

you can use NAT configuration in overlapping networks. you can follow the link below for more inforamtion regarding the configuration.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml

rate please if it is helpful!

regards,

Labib

jimmyc_2 · ‎12-27-2012

I should have mentioned this is version 8.4 on a Firewall.

Jouni Forss · ‎12-27-2012

I can only comment on personal expirience in dealing with issues of overlapping networks.

When companies have merged with overlapping private network ranges the most common solution has been to change the address ranges on the location with the least changes needed (even though it might be a big change its usually better than configuring something special into your network that might come back to "haunt" you). Certain enviroments where both parties have kept their own firewalls it has also been possible to simply do NAT on both ends and this way avoid any configurations changes on the actual host devices.

Also one common enviroment where this happens is when connecting locations by L2L VPN connections either for third party maintanance connections, data transfers or providing services. Then also, the simplest solutions is to do NAT

- Jouni

Jouni Forss · ‎12-27-2012

Hi,

You can't have 2 overlapping networks.

You should either try to change the address range of one the networks or configure NAT for both the the networks on separate devices.

- Jouni

jimmyc_2 · ‎12-27-2012

Thanks Jouni,

I guess you are saying I need to have West network 10.10.10.x go into a router, which NATs into 172.16.1.x, then into my ASA/IPS. From there I would not need NAT on the ASA to go out to Central network 10.10.10.1, because the ASA would simply route.

Is that correct?

Jouni Forss · ‎12-27-2012

I'd imagine both the a router before the ASA (?) and the ASA you have would have to do NAT for their own 10.10.10.0/24 networks

This is because even if you configure NAT for the other network 10.10.10.0/24 it still couldnt try to connect to the other 10.10.10.0/24 network as the hosts still see the network 10.10.10.0/24 as a directly connected network for them. So the remote network should also have their own NAT network instead of the 10.10.10.0/24

- Jouni

Can I connect two 10.10.10.x networks using NAT on an ASA5510?