Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
7
Replies

NAT Issue

galaga
Level 1
Level 1

‎06-18-2018 12:48 PM - edited ‎03-12-2019 05:23 AM

Hello,

 

 

I have a Cisco ASA 5510 Version 9.1(7)9 with multiple tunnels, (2) of which have duplicate hosts. These 2 tunnels are completely separate no communication between the two. The Chicago tunnel was just added and appears to be having issues with 105.180.90.16 passing traffic.

 

Can I have duplicate hosts like this ? dev1 and Chicago-local share a local IP too 192.168.68.58

 

nat (INSIDE,OUTSIDE) source static dev1 dev1-Global destination static kansas kansas

 

object-group network kansas
network-object 105.180.90.16 255.255.255.255

 

object-group network Chicago-remote
network-object 105.180.90.16 255.255.255.255


nat (INSIDE,OUTSIDE) source static Chicago-local Chicago-local destination static Chicago-remote Chicago-remote no-proxy-arp route-lookup

 

Labels:
0 Helpful
7 Replies 7

Bogdan Nita
VIP Alumni
VIP Alumni

‎06-18-2018 11:28 PM

If I understand correctly you have the same IP that you need to reach via 2 vpn tunnels.

The ASA usually selects the vpn tunnel to send traffic through based on the crypto-acl and crypto map sequence number.

If different hosts from your subnet need to use different vpn tunnels or the destination ports are different, you can simply adjust the crypto-acl.

If the same source needs to access 2 different hosts with the same IP on 2 different tunnels, you will have to have a NAT in place and modify the crypto-acl accordingly. In your case the easiest solution would be to ask Chicago to NAT the 105.180.90.16 in a different IP.

 

HTH

Bogdan

0 Helpful

galaga
Level 1
Level 1
In response to Bogdan Nita

‎06-19-2018 01:31 AM

The customer can not change the subnet. I have 2 different customers with 2 separate tunnels. Each of these duplicate hosts are trying to access the same host on my side.

Seems there is a mat issue
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to galaga

‎06-19-2018 02:00 AM

I am not saying the customer should change the subnet, I am saying the customer should configure a nat for traffic headed to you.

In this case I can't see how you could do a nat on your side.

0 Helpful

galaga
Level 1
Level 1
In response to Bogdan Nita

‎06-19-2018 02:15 AM

Could you provide a config example ?
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to galaga

‎06-19-2018 05:22 AM

Considering the client has an ASA as well, the config is pretty much similar to what you wrote:

object network My-Host
 host 105.180.90.16

object network  Client-Local
 subnet <Client real IP range>

object network Client-Global
 subnet <Client new assigned IP range>

!

nat (INSIDE,OUTSIDE) source static Client-Local Client-Global destination static My-Host My-Host

 

, also keep in mind that the crypto-acl needs to be modified with the NATed IPs.

0 Helpful

galaga
Level 1
Level 1
In response to Bogdan Nita

‎06-19-2018 05:44 AM

add the Client new assigned IP range on the customer side to my crypto ?
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to galaga

‎06-19-2018 06:27 AM

Yes and the vpn peer should change the source IP in the crypto-acl.

0 Helpful
Customers Also Viewed These Support Documents