In some network situations (usually due to two different networks becoming interconnected) there might be a situation where there are overlapping IP subnets. If the ip duplication cannot be resolved by re-numbering one of the subnets, NAT is required to provide connectivity between them.
Consider the following example where the 10.10.10.0/24 network exists on both the inside and the outside interfaces of the firewall. The 10.10.10.0/24 network on the outside of the firewall is reachable via an IPSEC Lan-to-Lan tunnel:
In ASA version 8.3 and later, connectivity between the two subnets can be established by having the inside subnet reach the outside subnet by sending packets to the 10.10.30.0/24 network, and the outside subnet connect to the inside subnet by sending packets to the 10.10.20.0/24 subnet.
Note that the ASA will need to have a route to not only the local LAN segment, but the remote LAN segment, and the ASA does not allow duplicate routing entries. To add this duplicate route, increase the metric for the route facing out the outside interface, which will satisfy the ASA requirement that the routes be different:
Both routes are valid and operational; remember, the ASA has the concept of routes applied on a particular interface (that is why you specify the interface nameif when you add the route statement). Also, the NAT translations can override the routing table, which is key in this example.
With a NAT configuration like this, the NAT translations override the global routing table, and will virtually forward the packets destined to 10.10.20.x or 10.10.30.x to the egress interface first, without consulting the global routing table. Then, only the routes associated with that interface the packet was forwarded to are used to find the next hop.
If packets don't match these translations, (when a "global" routing decision is needed) for a packet destined to the 10.10.10.x network (a packet sourced from a DMZ for example, that does not match either of these translations), the global routing table is consulted and the route with the lower metric will always win, and in this case it will be routed to the inside interface.
This "route-override" behavior of translations can be modified with the 'route-override' argument to manual NAT rules, see this documentation for more information (find in page for 'route-override'):
I have two Cisco Firepower 2110 in HA Configuration. I tried to perform version upgrade from 6.4. to 6.6. I got Device2 (Standbyd device) upgraded to 6.6. But the Device1 (Primary) failed the update. And the Device1 i showing up in maintenance mode after ...
Hello All,ASA 5525-XI created a new Group Policy and new Tunnel Group that we want to only be accessible for Clientless VPN access only.In the Group Policy, under Tunneling Protocols, I only enabled the checkbox (*on ASDM) for Clientless SSL VPN.However, ...
Hello, I'm running Cisco Anyconnect Secure Mobile Client and, as I have to connect to several different VPNs, I created several .xml profile files under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile where I confugured hostnames, use...
server vrf -- mpls/bgp -- ASR -- internet -- vpn peer -- internet I have a ASR with a lot of policy tunnels. Sometimes there is a need to route all traffic from our datacenter through a IPsec VPN tunnel. For example it might be a network segment that...
Our FMC and FTDs are running 6.6.4. We have some rules that fit better into the prefilter policy, so it it possible to take a rule that is in the standard ACP and move it into the prefilter policy, or will it have to be recreated? Thanks