NAT hairpinning through vpn tunnel

Keith Craycraft · ‎08-22-2016

network A 192.168.100.0

network B 192.168.200.0

network C 192.168.300.0

network B has a tunnel to network C

network A has a tunnel to network B

traffic will flow from A to B and from B to C

traffic from A will flow to b then to C - However Network A is required to be NATed to a Network b address before proceeding to Network C

with nat (inside) o access-list nonat

nat(inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) 192.168.100.100 192.168.200.100 netmask 255.255.255.0

static (inside,inside) 192.168.200.100 192.168.100.100 netmask 255.255.255.0

give error that global overlap

access-list nonat extend permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

192.168.200.0 255.255.255.0 192.168.300.0 255.255.255.0

trying to figure out how I work around this issue,

JP Miranda Z · ‎08-23-2016

Hi Keith,

Considering your tunnels are using their public or outside ips the static should be:

static (out,out) 192.168.100.100 192.168.200.100 netmask 255.255.255.0

That one should be bi directional so you don't need other one the other way around.

Since the traffic is going to be natted you don't need this line:

access-list nonat extend permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

Make sure you have this command as well:

same-security-traffic permit intra-interface

(intra-interface: Permit communication between peers connected to the same interface and different interfaces in the same zone)

If you more question please add the configuration of each of the devices.

Hope this info helps!!

Rate if helps you!!

-JP-