cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
763
Views
0
Helpful
4
Replies

Double NATTING two servers together in overlapping networks

Brandon Koehler
Level 1
Level 1

Background:

Our facility sits between two separate facilities. Facility A is directly connected via fiber, and an ASA5505 whose current sole job is to NAT our internal (192.168.80.0/21) addresses to addresses routeable by Facility A. Facility B is connected via VPN in our main internet firewall, an ASA5510, which does all of the VPNs, as well as provide access to the internet for our users. Facility B asked us to use the private range 192.168.80.0/21 for our internal addresses so this equipment can access the VPN. We have done this, but these are not addressable by Facility A. Facility A has given us two ranges to use internally for their equipment, 10.31.12.0/24 and 10.31.16.0/24, but these are not addressable by Facility B.

Problem:

Facility A has Server A (10.31.2.116), Facility B has Server B (10.1.1.119). Both facilities use the rest of the 10.0.0.0 private network range respectively. These servers need to have bidirectional communication.

Solution?

Setup the ASA5505 to destination NAT all packets originating from Server A, 10.31.2.116, and directed to 10.31.12.99, to the correct destination IP of 10.1.1.119, Server B. The ASA5510 will then source NAT all packets coming from 10.31.2.116 to 192.168.84.5.  I think this will work, but the routing is troubling me. It's easy enough to direct 192.168.84.0 to the ASA5505, but the way that the 10.x.x.x nets are setup makes me think the packets will be dropped.

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Hi Brandon,

If I understand you correctly, you have the following:

server-A at facility-A has real ip address of 10.31.2.116

server-B at facility-B has real ip address of 10.1.1.119

Because they are in the same 10.0.0.0/8 network, you would need to NAT each server respectively to a different ip address.

And you would like to NAT it to the following:

server-A NAT to 10.31.12.99 when traffic is destined to server-B

server-B NAT to 192.168.84.5 when traffic is destined to server-A

If the above is correct, then here is how you would configure it (this is assuming that you are running ASA version 8.2 and below, and also assuming you are using interface inside and outside):

ASA @facility-A:

access-list static-server-A permit ip host 10.31.2.116 host 192.168.84.5

static (inside,outside) 10.31.12.99 access-list static-server-A

ASA @facility-B:

access-list static-server-B permit ip host 10.1.1.119 host 10.31.12.99

static (inside,outside) 192.168.84.5 access-list static-server-B

Hope that helps.

Yes, you have what I'm trying to do correctly.

Looks simple.

I'll implement the changes tonight and report back.

Thanks.

That didn't work, but I think I know why. I misread what you thought I was trying to do:

"server-A NAT to 10.31.12.99 when traffic is destined to server-B

server-B NAT to 192.168.84.5 when traffic is destined to server-A"

Isn't quite right.

I want server-A (10.31.2.116) to look like 192.168.84.5 from server-B and, server B (10.1.1.119) to look like 10.31.12.99 from server A.

I took your commands and spun off from them, putting them on the outside interfaces of the ASAs, but I'm not quite getting them to work.

Sorry for the confusion.

Then, it should be configured as follows:

ASA @facility-A:

access-list static-server-A permit ip host 10.31.2.116 host 10.31.12.99

static (inside,outside) 192.168.84.5 access-list static-server-A

ASA @facility-B:

access-list static-server-B permit ip host 10.1.1.119 host 192.168.84.5

static (inside,outside) 10.31.12.99 access-list static-server-B

And please make sure that you "clear xlate" on both ASA prior to testing connectivity. Also assuming that you have all the ACL in place to allow connectivity between the 2 sites.

Review Cisco Networking for a $25 gift card