Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1591
Views
0
Helpful
4
Replies

How can we implement 2 tunnels (same source firewall, different destination firewall) with same source and destination subnet.

Go to solution
ahin.shaw
Level 1
Level 1

‎01-20-2020 10:26 AM

I have come across a conflict situation. And given the limitation that we cannot apply an NAT to remote environment.

 

Tunnel 1

Local Firewall IP : x.x.x.x

Peer Firewall IP : y.y.y.y

Local Subnet : 10.252.100.0/24

Remote Subnet : 192.168.100.0/24

 

Tunnel 2

Local Firewall IP : x.x.x.x

Peer Firewall IP : z.z.z.z

Local Subnet : 10.252.100.0/24

Remote Subnet : 192.168.100.0/24

 

Please advise how can this be solved using ASA5515 firewalls.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ahin.shaw

‎01-21-2020 07:21 AM

yes you can mitigate with differege IP address one of the site to NAT at your end.

 

make sure they allow your New IP address far end ACL.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2020 11:42 AM

You have to NAT somewhere to mitigate the Same subnet in the environment.

 

what device remote end ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ahin.shaw
Level 1
Level 1
In response to balaji.bandi

‎01-21-2020 06:01 AM

Palo Alto

 

I am okay with doing NAT at our end (Cisco ASA). We cannot do NAT at remote ends.

 

 

Thank You.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ahin.shaw

‎01-21-2020 07:21 AM

yes you can mitigate with differege IP address one of the site to NAT at your end.

 

make sure they allow your New IP address far end ACL.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ahin.shaw
Level 1
Level 1
In response to balaji.bandi

‎01-21-2020 01:02 PM

The solution is brief that I realized after Balaji's comment and looking at the packet flow of Cisco ASA.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

 

ASA performs XLATE functionality which can act as Pseudo address for destination, similarly i have to NAT my source to different address. So following this when a route for tunnel is established it knows the forward (Pseudo Address) and reverse path (NATed Source).

 

I don't have environment to test but definitely feel it will working knowing ASA creates policy based tunnel. 

Original thought was identifying solution for such cases using PA, Checkpoint, ASA and Fortigate.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card