04-04-2022 06:17 AM
Hi All
I need some help in configuring the NAT via ASDM, my case is as follows:
I have a requirement where there are multiple subnets with different CIDRs in remote LAN subnets and some of these subnets are already in use by other customers on my end. So i am wondering how we will perform the doublet NAT for these subnets.
e.g. these are the remote LAN subnets i need to configure in the vpn tunnel
10.1.10.0/24
10.1.11.0/24
10.1.12.0/24
10.1.13.0/24
10.1.14.0/24
10.1.15.0/24
10.1.32.0/19
10.1.64.0/18
10.1.128.0/17
Now subnet 10.1.11.0/24, 10.1.12.13, 10.1.32.0/19 are already used by one of my other customers. So i want to know how i will perform the NAT for these overlapping subnet in Cisco ASA. I have picked up some subnets for NAT which are 192.168.60.0/24, 192.168.61.0/24 and 192.168.62.0/24. Also do i need the NAT statement which is automatically generated by ASDM when we choose "NAT exempt" check box. If some can please share the ASDM output how to configure the NAT in this case that will be really helpful.
I am thinking this NAT statement:
nat (Inside,outside) 187 source static 10.1.11.0 192.168.60.0 destination static Customer-Remote-LAN Customer-Remote-LAN
And I will add 192.168.60.0 in Customer-Remote-LAN object group.
Thank you very much in Advance.
Solved! Go to Solution.
04-04-2022 07:01 AM
Cisco Meraki Uses Auto-VPN feature unlike ASA it is limited to add manual NAT statements for individual LAN subnets for VPN traffic. Now the only option i have is to configure NAT on ASA (my side). As i mentioned customer is using a different set of subnets and few of them are overlapping on my side as they are already been used with other cusotmers in ASA.
I have made the following script for ASA, Can someone validate my script for this use case?
object network Customer-Remote-10.1.11.0
subnet 10.1.11.0 255.255.255.0
object network Customer-Remote-NAT1
subnet 192.168.60.0 255.255.255.0
description NATed Subnet for 10.1.11.0/24
nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET
04-04-2022 07:37 AM - edited 04-04-2022 07:39 AM
yes looks good
object network Customer-Remote-10.1.11.0 subnet 10.1.11.0 255.255.255.0 object network Customer-Remote-NAT1 subnet 192.168.60.0 255.255.255.0 description NATed Subnet for 10.1.11.0/24 nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET
your local address is 10.1.11.0/24 and you convert (translate it) to 192.168.60.0/24 so this address will be presented to remote side and for you your destin ip address is REMOTE_VPN_SUBNET
04-04-2022 06:21 AM - edited 04-04-2022 06:24 AM
please refer to link for how you can config overlapping network with NAT.
04-04-2022 06:27 AM
Hello MHM
Thanks for sharing this document. I already went through this document but my case is different. This document is good when both sides are performing NAT. In my case only my side which is ASA firewall needs the NAT as the other side is using Cisco Meraki and it is not cable of adding NAT statements for these subnets. So i am specifically looking the NAT statement for ASA.
Thank you
04-04-2022 06:33 AM - edited 04-04-2022 06:42 AM
Cisco Meraki not support NAT but support IPSec VPN ? are you sure ?
If the Meraki support NAT
You need two NAT
ip nat inside source
ip nat outside source
these two command solve the issue for Meraki side.
I replace the link with best one.
04-04-2022 07:01 AM
Cisco Meraki Uses Auto-VPN feature unlike ASA it is limited to add manual NAT statements for individual LAN subnets for VPN traffic. Now the only option i have is to configure NAT on ASA (my side). As i mentioned customer is using a different set of subnets and few of them are overlapping on my side as they are already been used with other cusotmers in ASA.
I have made the following script for ASA, Can someone validate my script for this use case?
object network Customer-Remote-10.1.11.0
subnet 10.1.11.0 255.255.255.0
object network Customer-Remote-NAT1
subnet 192.168.60.0 255.255.255.0
description NATed Subnet for 10.1.11.0/24
nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET
04-04-2022 07:37 AM - edited 04-04-2022 07:39 AM
yes looks good
object network Customer-Remote-10.1.11.0 subnet 10.1.11.0 255.255.255.0 object network Customer-Remote-NAT1 subnet 192.168.60.0 255.255.255.0 description NATed Subnet for 10.1.11.0/24 nat (inside,outside) source static Customer-Remote-10.1.11.0 Customer-Remote-NAT1 destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET
your local address is 10.1.11.0/24 and you convert (translate it) to 192.168.60.0/24 so this address will be presented to remote side and for you your destin ip address is REMOTE_VPN_SUBNET
04-04-2022 07:40 AM
Thank you Sheraz. Appreciate it. Thanks everyone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide