If there is truly overlap between the Support and Client network I would suggest that you configure NAT on both sites and Tunnel the traffic between those NAT network between the sites with L2L VPN.

- Jouni

I am hoping to do it without modifying the client's GW if possible. Is there another way? I have full control over our own ASA devices, but none over the clients gear.

Doesnt the above information also mean that your Monitoring network cant communicate with some portion (or all) of your Support network? I mean if the Monitoring network is already forwarding all traffic towards 172.16.17.0/yy to the L2L VPN directly to the client?

I would have to say the simplest configuration in the long run would be to configure the L2L VPN directly between Support and Client and do NAT at both ends so neither site would see the real (overlapping) network from their side.

I cant quite wrap my head around a solution that would only involve your ASAs.

If I would have to guess without first testing/labbing the situation I would have to say what I would try (but probably wouldnt configure in a production environment myself)

• Configure NAT for the whole 172.16.17.0/20 network on the Support network and then tunneling that network to the Monitor network. Essentially also your Monitor network would in the future see your Support network as for example network 10.16.17.0/20 so we can do a clean NAT configuration with equal sized networks
• Configure the L2L VPN configuration to match eachother on the Support and Monitor networks to match eachother so they can first communicate with eachother. The change would essentially involve the crypto ACL containing the Support network as 10.16.17.0/20 and the Monitor network the same 192.168.250.0/24 as its now.
• To try to enable the traffic between Support and Client sites we would have to come up with some kind of NAT configuration possibly on the Monitor network ASA.
• Provided that the whole Monitor network 192.168.250.0/24 is now NAT0 configured towards the Client site (?) we would perhaps need to configure a Dynamic PAT from "outside" to "outside" using a single unused IP address from 192.168.250.0/24 network.
• Next we would perhaps have to configure Static Policy NAT again from "outside" to "outside" which would translate the Client source network to some NAT network equal to the size of the Client network WHEN the destination was the Dynamic PAT IP address mentioned just above
• The purpose of the above Dynamic PAT configuration would be to mask the Support Network with an PAT IP address that is already part of the L2L VPN configuration between Monitor and Client site.
• The purpose of the above Static Policy NAT would be to provide the Support some other destination network other than the one overlapping with its own network.
• Finally we would have to make additions to the L2L VPN crypto ACL for Support to Monitor network. The Support source network would be the same NAT network 10.16.17.0/20 and the Client destination network would be whatever we configured on the Static Policy NAT
• We would also need to possibly add "same-security-traffic permit intra-interface" on the Monitor network ASA which would enable traffic to enter the "outside" and leave the "outside" as would happen in this case since traffic is going through 2 L2L VPN connections.
• Finally we would cross our fingers and hope we didnt break anything

But as I said this is not something I have tested and would not be something that I would wish to implement in a production environment since there is a much more simpler solution to this. Naturally the above setup would also load the Monitor sites bandwith as its now has to handle traffic that is not destined for its local networks.

I do have 3 ASA firewalls at home and might be able to lab this setup but that is not all that sure.

What I am most worried about is the Dynamic PAT + Static Policy NAT on the Monitor network ASA. Will it match the L2L VPN crypto ACLs or not.

To give a step by step description what I expected to happen

• Support network ASA performs NAT from local to the mapped network
• Support network ASA matches the NATed hosts as the source address for the L2L VPN
• Support network ASA matches the destination address as belonging to the Client network for the L2L VPN
• Traffic arrives on Monitor network ASA and gets Dynamic PATed to an IP address matching the Monitor to Client L2L VPN source address
• The destination network of the traffic that arrived to the Monitor network ASA gets matched to the Static Policy NAT and gets UN-NATed from the Static Policy NAT mapped address to the actual network (which would have overllaped without the Static Policy NAT) and again the destination network will also match the destination address of the L2L VPN between Monitor and Client
• Traffic arrives to the Client site appearing from the single Dynamic PAT address sourced from the Monitor site.

Well that was a long post :/

- Jouni

Hi Jouni, the client network in question is 172.19.11.0/24 and the Support network is 172.17.16.0/20, so they do not overlap. The VPN between support and monitor networks is up and communication is ok. I kind of followed your explanation, and I had something similar in mind. The one thing I'm not sure of is why we need any NAT on the Support ASA. Could we not just do source translation on the monitoring network's ASA? So lets say packet with source 172.17.16.30 gets routed through IPSEC tunnel to monitoring network. From there, the source IP is translated to an unused 192.168.250.x address and destination remains 172.19.11.189?.

You are spot on! - I read through your comments and tried the Outside Dynamic NAT and bingo! - thanks so much for your help

Hi,

Great to hear

Thank you for marking the correct answer.

- Jouni

Thanks for the reply Jouni. I have simplified the network dramatically. The client uses that 172.17.16.0 network in other places (I don't know whether it is a local network, or they are VPN'ing to another network using that subnet through the same gateway)