06-07-2013 08:48 AM - edited 03-11-2019 06:54 PM
Our current project involves integrating a couple of systems between two seperate networks. These networks are owned by independant parties, and there is some address space overlap. Can implementing NAT on the firewall alone solve this issue, or does NAT have to be enabled again on the 5000 or another device to make this work?
The ASA is the gateway for the network at the bottom, where the the network at the top is "somewhere" behind the 5000.
I appreciate your thoughts on this!
Solved! Go to Solution.
06-07-2013 09:52 AM
Hello Jeremy,
You will need to translate the IP addreses on both sides, because if the ASA receives a packet with the same IP addresses on both interfaces and then decides to NAT it, it will conflict with some of the security features of the ASA (RPF, IP spoofing checks,etc)
This would be similar to the case where you have between 2 corporate networks the same LAN IP address range and you want to run a VPN tunnel, NAT will be placed on both VPN endpoints,
Regards,
Julio Carvajal
Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)
06-07-2013 09:52 AM
Hello Jeremy,
You will need to translate the IP addreses on both sides, because if the ASA receives a packet with the same IP addresses on both interfaces and then decides to NAT it, it will conflict with some of the security features of the ASA (RPF, IP spoofing checks,etc)
This would be similar to the case where you have between 2 corporate networks the same LAN IP address range and you want to run a VPN tunnel, NAT will be placed on both VPN endpoints,
Regards,
Julio Carvajal
Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)
06-07-2013 10:06 AM
Thank you for the clarification. If the following circumstance presents itself, are we again looking at NAT on both ends? Or is this true only if the same networks need to communicate --but if only the 10.100.1.x needs to communicate with both, then NAT on ASA alone is ok? (10.100.1.x unique to both parties.)
06-07-2013 10:10 AM
Hello Jeremy,
Exact.. If the 10.100.1.x goes to the 10.1.1.x subnet on one of the interfaces on the ASA the NAT needs to be done only on the ASA,
You got it,
Regards,
Julio
Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide