ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

Christopher Haynes · ‎09-06-2012

Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/

I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...

The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?

Thank you in advance everyone.

danmoren · ‎09-06-2012

Hello Chris,

For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.

Basically the NAT configuration will be like this:

object network Local-net

subnet 192.168.1.0 255.255.255.0

object network Translated-net

subnet 172.31.1.0 255.255.255.0

object network Fortinet-net

subnet 10.10.115.0 255.255.255.0

nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net

Obviously, you can change the name of the objects.

Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:

access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0

This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.

Let me know if you have any doubts.

Daniel Moreno

Please rate any posts you find useful