06-30-2016 11:29 AM - edited 03-12-2019 12:58 AM
I am running into a situation where I have duplicate subnets (10.1.1.0/24) with an internal network and an external vendor. The external vendor is coming across our PIX Firewall. Would it make sense to create a NAT statement on the outside interface for the 10.1.1.0/24 network traffic coming into our network and NAT it to a different subnet?
Would I be able to do the following:
static (outside,inside) 10.1.1.0 10.2.2.0 netmask 255.255.255.0
Also, do I need to add any static routing statements to the core switch below this pix to point it to the NAT network?
Thanks,
Solved! Go to Solution.
06-30-2016 05:02 PM
Hi Kyle,
Is the external vendor coming over a VPN tunnel ?
If yes
Here is an example:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-30-2016 05:02 PM
Hi Kyle,
Is the external vendor coming over a VPN tunnel ?
If yes
Here is an example:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-01-2016 03:36 AM
Aditya,
Thank you for your reply.
Yes, they are coming across a VPN tunnel. So these changes need to be made on both ends? Only reason I ask is Im unsure if the external side will be willing or able to do this.
07-01-2016 05:43 AM
Hi,
It depends on the version of both the ASA's. If you have ASA version pre 8.3 then you need to do NAT changes on both the devices.
If it is post 8.2 then you can do a twice NAT on the ASA for the VPN traffic like this:
https://supportforums.cisco.com/document/51491/asa-bi-directional-overlapping-nat-example-configuration
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-01-2016 07:07 AM
This happens to be a PIX. Dont know if that changes anything.
Since my network doesnt need to access the external vendor would it make the most sense for the vendor to NAT their network before coming across the tunnel and then I modify all my object groups/ACL's to reflect the new IP range I am seeing (10.2.2.0/24)?
07-01-2016 07:37 AM
Hi Kyle,
The document shared in my first post holds good for this scenario.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide