Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
5
Helpful
3
Replies

NAT Question

hurricane05
Level 1
Level 1

‎03-04-2021 02:07 AM

We currently have setup only using VTI interfaces on our Firepower devices in order to allow different customers to connect to our datacentre for access to their systems. We have ran into bit of an issue where one of the customers internal private subnet is the same as one of our subnets. We are not looking to change our VTI setup on our end. What is the best option for the customer end. Would they still setup the VTI on their end to setup the tunnel and then configure policy based routing on their end to do some NAT when traversing across the tunnel so it doesn't interfere with our internal private subnet?

 

Thx in advance for any help provided.

Labels:
0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎03-04-2021 10:58 PM - edited ‎03-04-2021 11:09 PM

Cisco Firewalll does not support VTI nameif in NAT statement. I guess you  the use the trick "any" in nat. however, you do not want to see your setup or want to perform NAT for this specific client. 

 

In your proudction network you running route based vpn = VTI where as policy based vpn = crypto map.

going forward you can setup a policy based vpn with your client and on top either they or you can do overlapping here 

 

Is your customer using Cisco Firewall (ASA/FTD) at their end? as some one need to do a NAT either you or them. if they willing to NAT with VTI in that case the NAT statement would be in this order.

 

object network INSIDE-REAL
 subnet 10.100.100.0 255.255.255.0
object network INSIDE-MAPPED
 subnet 10.1.1.0 255.255.255.0
object network REMOTE-NET
 subnet 192.168.10.0 255.255.255.0
nat (inside,any) source static INSIDE-REAL INSIDE-MAPPED Destin static REMOTE-NET REMOTE-NET
please do not forget to rate.

hurricane05
Level 1
Level 1
In response to Sheraz.Salim

‎03-05-2021 01:05 AM

Thx for the quick response. Yes, we are using route based vpn on our end. Are you saying in order for this to work, we would also have to switch our setup from route based vpn to policy based vpn on our end in addition to the client side (and they do the NAT)?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to hurricane05

‎03-05-2021 01:15 AM

I see this going forward as you setup this up as traditional site-to-site vpn (crypto map with NAT) one of you have to perform the nat overlapping. depends which site is more comfortable and doing this work.

 

-Are you saying in order for this to work, we would also have to switch our setup from route based vpn to policy based vpn on our end in addition to the client side (and they do the NAT)?

 

you configured NAT rule as NAT exemption/ Identity NAT and remote end has to present there local (for you remote network) into a different network which is not used in your network environment.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents