ASA 8.3 NAT Overlapping Networks

Erik · ‎04-19-2011

I've got a lab and am trying to figure out how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide https://supportforums.cisco.com/docs/DOC-13429 I was able to get it to work using an ASA and a router (initial configuration below). I'm able to ping from host1 to 40.40.40.2 (host 2) and it works, as does pinging from host 2 to 50.50.50.2 (host 1). The issue I'm having now is that I've replaced that router with another ASA (second configuration below). Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well. I'm only seeing issues when using two ASAs. I've verified that ICMP and telnet are permited inbound on the ASAs as well. I even tried seperating the final host with another router (third configuration).

Any help/insight would be appreciated!

Initial configuration:

Host 1 --------------------------- Router -------------------------- ASA--------------------------- Router ---------------------- Host 2

30.30.30.2 e0: 30.30.30.1 in: 10.10.10.2 e1: 20.20.20.1 30.30.30.2

NAT: 50.50.50.2 e1: 10.10.10.1 out: 20.20.20.2 e0: 30.30.30.1 NAT: 40.40.40.2

second configuration:

Host 1 --------------------------- Router ------------------------ ASA1--------------------------- ASA2 ------------------- Host 2

30.30.30.2 e0: 30.30.30.1 in: 10.10.10.2 e1: 20.20.20.1 30.30.30.2

NAT: 50.50.50.2 e1: 10.10.10.1 out: 20.20.20.2 e0: 30.30.30.1 NAT: 40.40.40.2

third configuration:

Host 1 --------------------------- Router ------------------------ ASA1--------------------------- ASA2 ------------------- Router ----------------------Host 2

30.30.30.2 e0: 30.30.30.1 in: 10.10.10.2 e1: 20.20.20.1 e0: 60.60.60.2 30.30.30.2

NAT: 50.50.50.2 e1: 10.10.10.1 out: 20.20.20.2 e0: 60.60.60.1 e1: 30.30.30.1 NAT: 40.40.40.2

Config from ASA1

ASA1# sh run object
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NAT_Router
host 40.40.40.2
object network OUT_Router
host 20.20.20.1
object network REAL_PC
host 30.30.30.2
object network NAT_PC
host 50.50.50.2
object network REAL_Router
host 30.30.30.2
object network NAT_Range
subnet 50.50.50.0 255.255.255.0
object network REAL_RANGE
subnet 30.30.30.0 255.255.255.0
ASA1# sh run nat
nat (inside,outside) source static REAL_PC NAT_PC destination static NAT_Router REAL_Router
!
object network obj_any
nat (inside,outside) dynamic interface
ASA1# sh run route
route management 10.40.0.0 255.255.0.0 10.40.116.1 1
route inside 30.30.30.0 255.255.255.0 10.10.10.1 1
route outside 30.30.30.0 255.255.255.0 20.20.20.1 2

ASA2:

ASA2# sh run object
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Real_RTR
host 30.30.30.2
object network NAT_RTR
host 40.40.40.2
object network REAL_PC
host 30.30.30.2
object network NAT_PC
host 50.50.50.2
ASA2# sh run nat
nat (inside,outside) source static Real_RTR NAT_RTR destination static NAT_PC REAL_PC
!
object network obj_any
nat (inside,outside) dynamic interface
ASA2# sh run route
route management 10.40.0.0 255.255.0.0 10.40.116.1 1
route inside 30.30.30.0 255.255.255.0 60.60.60.2 1
route outside 30.30.30.0 255.255.255.0 20.20.20.2 2

brquinn · ‎04-22-2011

Erik,

This command on ASA1 is translating both the source and the destination. When the packet leaves the outside interface, the Destination IP will be 30.30.30.2. ASA2 is doing the same thing, but in reverse.

Try these commands to allow ASA1 to NAT the PC and ASA2 to NAT the Router...

ASA1:

nat (inside,outside) source static REAL_PC NAT_PC destination static NAT_Router NAT_Router

ASA2:

nat (inside,outside) source static Real_RTR NAT_RTR destination static NAT_PC NAT_PC

Thanks,

Brendan