Solved: Re: Configure Double NAT for overlapping remote LAN subnets in VPN tun

cybergeek · ‎04-04-2022

Hi All

I need some help in configuring the NAT via ASDM, my case is as follows:

I have a requirement where there are multiple subnets with different CIDRs in remote LAN subnets and some of these subnets are already in use by other customers on my end. So i am wondering how we will perform the doublet NAT for these subnets.

e.g. these are the remote LAN subnets i need to configure in the vpn tunnel

10.1.10.0/24

10.1.11.0/24

10.1.12.0/24

10.1.13.0/24

10.1.14.0/24

10.1.15.0/24

10.1.32.0/19

10.1.64.0/18

10.1.128.0/17

Now subnet 10.1.11.0/24, 10.1.12.13, 10.1.32.0/19 are already used by one of my other customers. So i want to know how i will perform the NAT for these overlapping subnet in Cisco ASA. I have picked up some subnets for NAT which are 192.168.60.0/24, 192.168.61.0/24 and 192.168.62.0/24. Also do i need the NAT statement which is automatically generated by ASDM when we choose "NAT exempt" check box. If some can please share the ASDM output how to configure the NAT in this case that will be really helpful.

I am thinking this NAT statement:

nat (Inside,outside) 187 source static 10.1.11.0 192.168.60.0 destination static Customer-Remote-LAN Customer-Remote-LAN

And I will add 192.168.60.0 in Customer-Remote-LAN object group.

Thank you very much in Advance.

cybergeek · ‎04-04-2022

Cisco Meraki Uses Auto-VPN feature unlike ASA it is limited to add manual NAT statements for individual LAN subnets for VPN traffic. Now the only option i have is to configure NAT on ASA (my side). As i mentioned customer is using a different set of subnets and few of them are overlapping on my side as they are already been used with other cusotmers in ASA.

I have made the following script for ASA, Can someone validate my script for this use case?

object network Customer-Remote-10.1.11.0
subnet 10.1.11.0 255.255.255.0

object network Customer-Remote-NAT1
subnet 192.168.60.0 255.255.255.0
description NATed Subnet for 10.1.11.0/24

nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

View solution in original post

Sheraz.Salim · ‎04-04-2022

yes looks good

object network Customer-Remote-10.1.11.0
subnet 10.1.11.0 255.255.255.0

object network Customer-Remote-NAT1
subnet 192.168.60.0 255.255.255.0
description NATed Subnet for 10.1.11.0/24


nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

your local address is 10.1.11.0/24 and you convert (translate it) to 192.168.60.0/24 so this address will be presented to remote side and for you your destin ip address is REMOTE_VPN_SUBNET

please do not forget to rate.

View solution in original post

MHM Cisco World · ‎04-04-2022

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

please refer to link for how you can config overlapping network with NAT.

cybergeek · ‎04-04-2022

Hello MHM

Thanks for sharing this document. I already went through this document but my case is different. This document is good when both sides are performing NAT. In my case only my side which is ASA firewall needs the NAT as the other side is using Cisco Meraki and it is not cable of adding NAT statements for these subnets. So i am specifically looking the NAT statement for ASA.

Thank you

MHM Cisco World · ‎04-04-2022

Cisco Meraki not support NAT but support IPSec VPN ? are you sure ?
If the Meraki support NAT
You need two NAT
ip nat inside source
ip nat outside source

these two command solve the issue for Meraki side.
I replace the link with best one.

https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

cybergeek · ‎04-04-2022