Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
7
Replies

S2S vpn overlapping subnets/Natting Lan to outside interface

hmc2500
Level 1
Level 1

‎07-14-2021 09:24 PM - edited ‎07-14-2021 09:25 PM

When setting up a site to site VPN with overlapping subnets can you NAT the an internal subnet to the outside interface (or a single public ip address) of the ASA on both sides of the VPN? Like PAT overloading. Is this possible?

 

192.168.1.0/24 > NAT to outside interface 1.1.1.1 ----Internet-----NAT to outside interface 2.2.2.2 < 192.168.1.0/24

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎07-15-2021 12:08 AM

hope below example help you for overlapping test and advise any issues : ( since you have not mentioned what device, so i gave this example).

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

hmc2500
Level 1
Level 1
In response to balaji.bandi

‎07-15-2021 08:35 AM

Is there a doc for the newer ASA's? 5512-x?

0 Helpful

Rob Ingram
VIP
VIP
In response to hmc2500

‎07-15-2021 08:55 AM

@hmc2500 

You mean with 9.x code? ....which has different nat syntax. Here is the cisco guide.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

 

You'll need to be sure to use the translated IP address in the crypto ACL, not the real IP address.

 

0 Helpful

hmc2500
Level 1
Level 1
In response to balaji.bandi

‎07-16-2021 08:10 AM

Thanks but I was looking for a overlapping subnets example utilizing port address translation not just Nat.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to hmc2500

‎07-16-2021 10:11 AM

You need Build  step by step approac  at a time and records the results and add new feature requirement on top of it.

 

you refer this thread :

 

https://community.cisco.com/t5/vpn/site-to-site-vpn-with-overlapping-subnets-and-pat/td-p/3069556

 

Build the config and let us know the config and where did you get stuck so we can suggest any tweak required.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marius Gunnerud
VIP
VIP

‎07-17-2021 12:30 PM

You need to identify what services at both ends need to be reached by each side.  just doing an "overload" on both sides will accomplish nothing as neither of the sides will be able to reach anything at the remote site.

So lets look at a couple scenarios.  Site B needs to access Site A servers.  In this case you could NAT Site B LAN to Site B ASA outside interface, then in the crypto ACL specify the site B outside interface IP.

Another scenario could be that both Site A and Site B need to access resources at eachothers sites.  In this case I would recommend allocating an unused subnet for each site, then do static NAT for the services so they have their own "unused" IPs and then NAT the rest of the IPs to the remaining IPs within the unused subnets.  

If you do not allocate an unused subnet you would need to start using PAT and translate the ports used for the services.  This could become a management hassel.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents