Solved: Cisco ASA5510 - Overlapping NAT

geeksonline · ‎03-14-2013

I am setting up a network design where two sites will have the same IP addressing scheme (Production and DR). I need to configure the ASA devices at Production and DR with NAT so that servers in production can replicate information to servers in DR and vice versa. I have attached a copy of the design I am using; I need some assistance in getting the NAT configuration correct on both ASA devices.

Jouni Forss · ‎03-14-2013

Ok,

So if we are using a totally different network for the NATs in the DMZ section of the ASA then both will need routes for the NAT network 10.10.1.0/24 and 10.10.2.0/24 for example.

So far the configurations could go something like this for example

Site 1

route dmz 10.10.2.0 255.255.255.0 172.16.100.2

static (inside,dmz) 10.10.1.3 192.168.253.3 netmask 255.255.255.255

static (inside,dmz) 10.10.1.4 192.168.253.4 netmask 255.255.255.255

static (inside,dmz) 10.10.1.5 192.168.253.5 netmask 255.255.255.255

static (inside,dmz) 10.10.1.6 192.168.253.6 netmask 255.255.255.255

The route configuration would tell the Site 1 ASA that the Site 2 NAT network 10.10.2.0/24 is found through the Site 2 ASA DMZ interface. (Where its being used as NAT IP addresses)

Site 2

route dmz 10.10.1.0 255.255.255.0 172.16.100.1

static (inside,dmz) 10.10.2.3 192.168.253.3 netmask 255.255.255.255

static (inside,dmz) 10.10.2.4 192.168.253.4 netmask 255.255.255.255

static (inside,dmz) 10.10.2.5 192.168.253.5 netmask 255.255.255.255

static (inside,dmz) 10.10.2.6 192.168.253.6 netmask 255.255.255.255

The route configuration would tell the Site 2 ASA that the Site 1 NAT network 10.10.1.0/24 is found through the Site 1 ASA DMZ interface. (Where its being used as NAT IP addresses)

Naturally you have to make sure that both Sites servers behind the ASA have the route to the other Sites NAT network. But I presume the default route points to the ASA so the above mentioned route configuration on the ASA should be enough.

Please rate if you have found the information helpfull.

Naturally ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎03-14-2013

Hi,

Are you simply looking into NATing the overlapping networks/hosts to different NAT IPs on each sites ASA5510 so that the communication works with these server running the same IP address?

What is your ASA firewalls software version? It will have a big impact on the NAT configuration format and some options.

- Jouni

geeksonline · ‎03-14-2013

Hi Jouni, thanks for the reply. The software version is 8.2. In regards to the NAT, what I want is to be able to replicate data from server in production to server in DR. I have shown 1 server in the diagram, but there could be more than 1. As the servers have identical IP's the only way I will be able to do it is copy to a virtual IP which is NAT'd across to same server in other site (and the other way).

Jouni Forss · ‎03-14-2013

Hi,

Ok so software is 8.2

The basic Static NAT configuration format is the following

Site 1

static (inside,dmz) netmask 255.255.255.255

Site 2

static (inside,dmz) netmask 255.255.255.255

After this both hosts would be visible to eachother with a NAT IP address and there should be no overlapping and problems with routing or return route.

- Jouni

geeksonline · ‎03-14-2013

Thanks Jouni, so in my diagram, would the following commands work:

Site 1

static (inside,dmz) 10.10.1.3 192.168.253.3 netmask 255.255.255.255

Site 2

static (inside,dmz) 10.10.2.3 192.168.253.3 netmask 255.255.255.255

Would this then mean

I would be able to ping 10.10.1.3 from site A and it NAT through to 192.168.253.3 in Site 2

and

I would be able to ping 10.10.2.3 from site B and it NAT through to 192.168.253.3 in Site 1

Also, is there any routing that would need to be configured for the NAT'ing to work?

Jouni Forss · ‎03-14-2013

Hi,

The picture doesnt mention anything about 10.10.1.x/yy or 10.10.2.x/yy networks?

- Jouni

geeksonline · ‎03-14-2013

Those are just IP's I used for NAT IP 1 and NAT IP 2. What should I be using for NAT IP1 and NAT IP2; please forgive my questions, I'm only just learning this stuff.

Jouni Forss · ‎03-14-2013

Ok,

So if we are using a totally different network for the NATs in the DMZ section of the ASA then both will need routes for the NAT network 10.10.1.0/24 and 10.10.2.0/24 for example.

So far the configurations could go something like this for example

Site 1

route dmz 10.10.2.0 255.255.255.0 172.16.100.2

static (inside,dmz) 10.10.1.3 192.168.253.3 netmask 255.255.255.255

static (inside,dmz) 10.10.1.4 192.168.253.4 netmask 255.255.255.255

static (inside,dmz) 10.10.1.5 192.168.253.5 netmask 255.255.255.255

static (inside,dmz) 10.10.1.6 192.168.253.6 netmask 255.255.255.255

The route configuration would tell the Site 1 ASA that the Site 2 NAT network 10.10.2.0/24 is found through the Site 2 ASA DMZ interface. (Where its being used as NAT IP addresses)

Site 2

route dmz 10.10.1.0 255.255.255.0 172.16.100.1

static (inside,dmz) 10.10.2.3 192.168.253.3 netmask 255.255.255.255

static (inside,dmz) 10.10.2.4 192.168.253.4 netmask 255.255.255.255

static (inside,dmz) 10.10.2.5 192.168.253.5 netmask 255.255.255.255

static (inside,dmz) 10.10.2.6 192.168.253.6 netmask 255.255.255.255

The route configuration would tell the Site 2 ASA that the Site 1 NAT network 10.10.1.0/24 is found through the Site 1 ASA DMZ interface. (Where its being used as NAT IP addresses)

Naturally you have to make sure that both Sites servers behind the ASA have the route to the other Sites NAT network. But I presume the default route points to the ASA so the above mentioned route configuration on the ASA should be enough.

Please rate if you have found the information helpfull.

Naturally ask more if needed.

- Jouni