cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1418
Views
15
Helpful
6
Replies

FTD/FMC NAT between site to site with common subnet

robinhall1
Level 1
Level 1

I have been trying to find documentation for configuring through FMC a site to site vpn tunnel when one network matches a network on the far side. I have a network 192.168.200.0/24 that is also routed on the second network. I am trying to NAT the 192.168.200.0/24 to 172.28.0.0/24 network across a vpn tunnel. I have the tunnel set up correctly for 172.28.0.0/24 talking to the far side. This network does not need to talk to 192.168.200.0/24 on the far side, but because I am routing for it there i do not want to break that. I set up a NAT statement for inside to outside and 192.168.200.0/24 to 172.28.0.0/24 but all local communication to 192.168.200.0/24 breaks. How do I need to configure the NAT statement for translating the networks strictly across the tunnel and not affect the local communication to the 192.168.200.0/24 network?

1 Accepted Solution

Accepted Solutions
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

The concept to is the same as below : (don't have access to FMC to post the screenshots)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Exactly what I was looking for. I had this exact link before but could not find it. No matter how i searched I could not get back to this. Thank you!!

After reading through this I am finding that this is only if you have the overlapping networks talking to each other. I don't see a way to have multiple NAT statements for a tunnel. I have about 10 networks on each side that do not overlap and will have a normal NAT statement. How do I use a second NAT statement for this one off? I have two other overlapping networks that I will need to do also, but I need to get one done and working first. I mean the other link was for ASA, I could figure out FMC from that, but definitely doesn't help for what I am trying to do.

if they are not overlap, then you do not need to NAT for tha range IP, inside VPN they will interface as source IP- there is no requirement to change.

If you have 2 overlap network you can use same pool to NAT for externally or you looking different upto your decision.

If you like to make i neat to troubleshgoot - i suggst 1-1 (means x.x.x.x/24 to y.y.y.y/24 and a.a.a.a/24 to b.b.bb./24 so on)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@robinhall1 if you have non-overlapping networks communicating over the VPN you probably need NAT exemption rule(s) to ensure these networks are not unintentially translated by your normal NAT rule (I assume this translates traffic behind the outside interface, for internet access).

On the FTD its the same logic as the ASA, example. You translate the networks to themselves, ensuring they do not match the dynamic NAT rule that would translate them behind the outside interface.

 

for my opinion, 
this is play with NAT, see what NAT come first and effect the traffic path through the VPN, 
what you need is not only config the NAT but also do show all NAT and check the hit count (or using the packet-tracer which is better).