In some network situations (usually due to two different networks becoming interconnected) there might be a situation where there are overlapping IP subnets. If the ip duplication cannot be resolved by re-numbering one of the subnets, NAT is required to provide connectivity between them.
Consider the following example where the 10.10.10.0/24 network exists on both the inside and the outside interfaces of the firewall. The 10.10.10.0/24 network on the outside of the firewall is reachable via an IPSEC Lan-to-Lan tunnel:
In ASA version 8.3 and later, connectivity between the two subnets can be established by having the inside subnet reach the outside subnet by sending packets to the 10.10.30.0/24 network, and the outside subnet connect to the inside subnet by sending packets to the 10.10.20.0/24 subnet.
Note that the ASA will need to have a route to not only the local LAN segment, but the remote LAN segment, and the ASA does not allow duplicate routing entries. To add this duplicate route, increase the metric for the route facing out the outside interface, which will satisfy the ASA requirement that the routes be different:
Both routes are valid and operational; remember, the ASA has the concept of routes applied on a particular interface (that is why you specify the interface nameif when you add the route statement). Also, the NAT translations can override the routing table, which is key in this example.
With a NAT configuration like this, the NAT translations override the global routing table, and will virtually forward the packets destined to 10.10.20.x or 10.10.30.x to the egress interface first, without consulting the global routing table. Then, only the routes associated with that interface the packet was forwarded to are used to find the next hop.
If packets don't match these translations, (when a "global" routing decision is needed) for a packet destined to the 10.10.10.x network (a packet sourced from a DMZ for example, that does not match either of these translations), the global routing table is consulted and the route with the lower metric will always win, and in this case it will be routed to the inside interface.
This "route-override" behavior of translations can be modified with the 'route-override' argument to manual NAT rules, see this documentation for more information (find in page for 'route-override'):
Currently working on updating our ironport to use LDAPS on port 3269. Currently it's just using regular LDAP on port 389. We have 2 LDAPS servers and the first succeeds when using the Start Test button but getting an error for the 2nd server. Any advice? ...
Hi, after update the ASA image, I've noticed the following messages/warnings after reboot:(I use the following ASA image: asa984-15-lfbff-k8.SPA)Configuring network interfaces... done.Populating dev cachedosfsck 2.11, 12 Mar 2005, FAT32, LFNTher...
All, I have have redesigned my network and now have my Core router(s) using HSRP. I currently have a IPSec VPN up and running on the physical IP address (crypo map kfc). I am trying to bring up a new VPN using the VIP virtual IP add...