ASA VPN with Address Overlap

wasim chandel · ‎04-29-2017

Hi,

Lets assume that 10.1.1.0/24 is the overlapping subnet on both ends of the tunnel.

nat (inside, outside) source static obj_10.1.1.0 obj_10.2.2.0 destination static obj_10.3.3.0 obj_10.1.1.0

This nat rule will translate 10.1.1.0/24 on site A to 10.2.2.0/24 and site B is being set up to pose as 10.3.3.0/24

Now as per this rule, if traffic from site A is destined to 10.3.3.0 subnet then source of 10.1.1.0 subnet will be translated to 10.2.2.0 subnet and the destination will be translated to 10.1.1.0 subnet.

Would this rule imply that if a packet with a source of 10.1.1.0 subnet on the outside interface be translated to 10.3.3.0 subnet.

or do we have to explicitly configure a rule as follows as well for it to work

nat (outside,inside) source static obj_10.1.1.0 obj_10.3.3.0

Please refer config below as an example. Appreciate it.

ASA VPN with Address Overlap

From the perspective of the business partner, our network will look like it is 192.168.2.x/24. Therefore the ouside party doesn’t even need to know that we are using 192.168.1.x/24. To access the partner’s 192.168.1.x/24 network, we will send traffic to 192.168.3.x, where x is the host we desire to reach on their 192.168.1.x/24 network.

Since NAT has very different configuration syntax starting in 8.3, this article is broken into two sections.

VPN with Overlapping Addresses (NAT 8.3 and later Syntax)

ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
!
//object groups to be used
//in nat configuration (below)
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
//crypto ACL
access-list L2LAccessList extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
//policy nat acl remnant of
//upgrade–no longer needed
access-list SRC_Translation extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
!
!
//policy nat translation
//translates a source of
//192.168.1.x/24 to
//192.168.2.0/24 only when
//the destination is 192.168.3.0/24
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.1.0
!
//translate destinations of
//192.168.3.0/24 to 192.168.1.0/24
//reference the objects above
object network obj-192.168.1.0
nat (outside,inside) static 192.168.3.0
!
//PAT all other traffic to
//interface IP
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
!
!
//VPN Configuration
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
: end
ciscoasa#

Ajay Saini · ‎05-01-2017

I am not sure what you mean by 'Would this rule imply that if a packet with a source of 10.1.1.0 subnet on the outside interface be translated to 10.3.3.0 subnet.'

To clarify what NAT would do - Other way round, the NAT means that a subnet of 10.1.1.0 if arives on ASA outside interface to access 10.2.2.0, then source(10.1.1.0) will be translated to 10.3.3.0) and destination will be untranslated to 10.1.1.0.

HTH

-AJ

View solution in original post

Ajay Saini · ‎05-01-2017

I am not sure what you mean by 'Would this rule imply that if a packet with a source of 10.1.1.0 subnet on the outside interface be translated to 10.3.3.0 subnet.'

To clarify what NAT would do - Other way round, the NAT means that a subnet of 10.1.1.0 if arives on ASA outside interface to access 10.2.2.0, then source(10.1.1.0) will be translated to 10.3.3.0) and destination will be untranslated to 10.1.1.0.

HTH

-AJ

wasim chandel · ‎05-02-2017

Hi Ajay,

In the config

//policy nat translation
//translates a source of
//192.168.1.x/24 to
//192.168.2.0/24 only when
//the destination is 192.168.3.0/24
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.1.0
!
//translate destinations of
//192.168.3.0/24 to 192.168.1.0/24
//reference the objects above
object network obj-192.168.1.0
nat (outside,inside) static 192.168.3.0

as you can see there are two nat rules configured, what I wonder is weather the second nat rule,

the one in bold letters can be omitted. As I understand static nat rules are bidirectional so why do we need an extra rule.

Ajay Saini · ‎05-02-2017

You are right.

If you need a condition based NAT, then we need a manual NAT which is what you already have. If there is no other requirement to static NAT 192.168.1.0 with 192.168.3.0 subnet otherwise, you can remove the second NAT.

-

AJ

wasim chandel · ‎05-02-2017

Good, so we are right then lol

ASA VPN with overlapping subnets.

ASA VPN with Address Overlap

Since NAT has very different configuration syntax starting in 8.3, this article is broken into two sections.

VPN with Overlapping Addresses (NAT 8.3 and later Syntax)