Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
0
Helpful
3
Replies

ASA 5585 and NAT - Same IP addresses

Go to solution
jsdurstjsdurst
Level 1
Level 1

‎06-07-2013 08:48 AM - edited ‎03-11-2019 06:54 PM

Our current project involves integrating a couple of systems between two seperate networks.  These networks are owned by independant parties, and there is some address space overlap.  Can implementing NAT on the firewall alone solve this issue, or does NAT have to be enabled again on the 5000 or another device to make this work?

The ASA is the gateway for the network at the bottom, where the the network at the top is "somewhere" behind the 5000.

I appreciate your thoughts on this!

csco.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-07-2013 09:52 AM

Hello Jeremy,

You will need to translate the IP addreses on both sides, because if the ASA receives a packet with the same IP addresses on both interfaces and then decides to NAT it, it will conflict with some of the security features of the ASA (RPF, IP spoofing checks,etc)

This would be similar to the case where you have between 2 corporate networks the same LAN IP address range and you want to run a VPN tunnel, NAT will be placed on both VPN endpoints,

Regards,

Julio Carvajal

Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-07-2013 09:52 AM

Hello Jeremy,

You will need to translate the IP addreses on both sides, because if the ASA receives a packet with the same IP addresses on both interfaces and then decides to NAT it, it will conflict with some of the security features of the ASA (RPF, IP spoofing checks,etc)

This would be similar to the case where you have between 2 corporate networks the same LAN IP address range and you want to run a VPN tunnel, NAT will be placed on both VPN endpoints,

Regards,

Julio Carvajal

Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jsdurstjsdurst
Level 1
Level 1
In response to Julio Carvajal

‎06-07-2013 10:06 AM

Thank you for the clarification.  If the following circumstance presents itself, are we again looking at NAT on both ends?  Or is this true only if the same networks need to communicate --but if only the 10.100.1.x needs to communicate with both, then NAT on ASA alone is ok?  (10.100.1.x unique to both parties.)

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jsdurstjsdurst

‎06-07-2013 10:10 AM

Hello Jeremy,

Exact.. If the 10.100.1.x goes to the 10.1.1.x subnet on one of the interfaces on the ASA the NAT needs to be done only on the ASA,

You got it,

Regards,

Julio

Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card