Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
5
Replies

NAT for overlapping subnets

Go to solution
Kyle Smith
Level 1
Level 1

‎06-30-2016 11:29 AM - edited ‎03-12-2019 12:58 AM

I am running into a situation where I have duplicate subnets (10.1.1.0/24) with an internal network and an external vendor. The external vendor is coming across our PIX Firewall. Would it make sense to create a NAT statement on the outside interface for the 10.1.1.0/24 network traffic coming into our network and NAT it to a different subnet?

Would I be able to do the following:

static (outside,inside) 10.1.1.0 10.2.2.0 netmask 255.255.255.0

Also, do I need to add any static routing statements to the core switch below this pix to point it to the NAT network?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-30-2016 05:02 PM

Hi Kyle,

Is the external vendor coming over a VPN tunnel ?

If yes the you can NAT the traffic and make the changes in the crypto ACL as well.

Here is an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-30-2016 05:02 PM

Hi Kyle,

Is the external vendor coming over a VPN tunnel ?

If yes the you can NAT the traffic and make the changes in the crypto ACL as well.

Here is an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Kyle Smith
Level 1
Level 1
In response to Aditya Ganjoo

‎07-01-2016 03:36 AM

Aditya,

Thank you for your reply. 

Yes, they are coming across a VPN tunnel. So these changes need to be made on both ends? Only reason I ask is Im unsure if the external side will be willing or able to do this.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Kyle Smith

‎07-01-2016 05:43 AM

Hi,

It depends on the version of both the ASA's. If you have ASA version pre 8.3 then you need to do NAT changes on both the devices.

If it is post 8.2 then you can do a twice NAT on the ASA for the VPN traffic like this:

https://supportforums.cisco.com/document/51491/asa-bi-directional-overlapping-nat-example-configuration

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Kyle Smith
Level 1
Level 1
In response to Aditya Ganjoo

‎07-01-2016 07:07 AM

This happens to be a PIX. Dont know if that changes anything. 

Since my network doesnt need to access the external vendor would it make the most sense for the vendor to NAT their network before coming across the tunnel and then I modify all my object groups/ACL's to reflect the new IP range I am seeing (10.2.2.0/24)?

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Kyle Smith

‎07-01-2016 07:37 AM

Hi Kyle,

In that case we need to make changes on both the ends.

The document shared in my first post holds good for this scenario.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card