Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5425
Views
0
Helpful
5
Replies

Site-to-Site with Overlapping Subnets

Go to solution
v0r73x117
Level 1
Level 1

‎01-03-2013 05:17 AM

Hi All,

Just looking for comfirmation on what is/isn't possible. In brief we have a site-site requirement but our local LAN ranges conflict. I'm aware of how to get this up and running using a pool of IP's that either an ASA/IOS based device can NAT behind but I'm wondering if it's possible to NAT behind a single IP. NAT is also in place for general internet traffic but hopefully the attached image better describes our scenario.

Any help / advice appreciated.

Regards,

Martyn

1 person had this problem
Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-03-2013 07:10 AM

Hi,

You will have to do NAT on both ends to get the setup working.

With these types of setups I have most commonly just natted a /24 network to another /24 network at both sites.

You can configure one of the sites to use a single PAT address towards the other end but the other end must have somekind of Static NAT either between single hosts or equal /24 networks.

If you would happen to configure both sites with a PAT translations, you couldnt really initiate connections between the site as no real host on networks 192.168.1.0/24 would have their own specific NAT IP to connect to.

So in short

  • Both sites need to NAT their network
  • Use 1:1 Static NAT either between host addresses or complete networks on both sites  
    • Both sites could initiate connection to any host on the remote end as every single host has their own NAT IP address staticly assigned
  • Use PAT for other site and 1:1 Static NAT with host addresses or complete networks on the other site  
    • Site with the single PAT IP address can connect to all of the remote sites hosts since they have staticly assigned NAT IP addresses.
    • Host from the site wouldnt be able to connect to any host on its remote site as the remote site has only one PAT address facing their way.

If you had 2 ASAs with 8.2 or BELOW software your Static NAT configurations could be for example

Base information

  • Site1: 192.168.1.0/24
  • Site1 NAT: 10.10.1.0/24
  • Site2: 192.168.1.0/24
  • Site2 NAT: 10.10.2.0/24

Site1 Static Policy NAT configuration

access-list L2L-VPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.10.2.0 255.255.255.0

static (inside,outside) 10.10.1.0 access-list L2L-VPN-POLICYNAT

Site2 Static Policy NAT configuration

access-list L2L-VPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

static (inside,outside) 10.10.2.0 access-list L2L-VPN-POLICYNAT

PAT configuration on either end

access-list L2L-VPN-POLICYPAT permit ip 192.168.1.0 255.255.255.0 10.10.x.0 255.255.255.0

global (outside) xxx 10.10.x.1

nat (inside) xxx access-list L2L-VPN-POLICYPAT

If you had 2 ASAs with 8.3 or ABOVE software your Static NAT configurations could be for example (same base information)

Site1 Static Policy NAT configuration

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

subnet 10.10.1.0 255.255.255.0

object network REMOTE

subnet 10.10.2.0 255.255.255.0

static (inside,outside) 1 source static LAN LAN-NAT destination static REMOTE REMOTE

Site2 Static Policy NAT configuration

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

subnet 10.10.2.0 255.255.255.0

object network REMOTE

subnet 10.10.1.0 255.255.255.0

static (inside,outside) 1 source static LAN LAN-NAT destination static REMOTE REMOTE

PAT configuration on either end

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-PAT

host 10.10.x.1

object network REMOTE

subnet 10.10.x.0 255.255.255.0

static (inside,outside) 1 source dynamic LAN LAN-PAT destination static REMOTE REMOTE

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-03-2013 07:10 AM

Hi,

You will have to do NAT on both ends to get the setup working.

With these types of setups I have most commonly just natted a /24 network to another /24 network at both sites.

You can configure one of the sites to use a single PAT address towards the other end but the other end must have somekind of Static NAT either between single hosts or equal /24 networks.

If you would happen to configure both sites with a PAT translations, you couldnt really initiate connections between the site as no real host on networks 192.168.1.0/24 would have their own specific NAT IP to connect to.

So in short

  • Both sites need to NAT their network
  • Use 1:1 Static NAT either between host addresses or complete networks on both sites  
    • Both sites could initiate connection to any host on the remote end as every single host has their own NAT IP address staticly assigned
  • Use PAT for other site and 1:1 Static NAT with host addresses or complete networks on the other site  
    • Site with the single PAT IP address can connect to all of the remote sites hosts since they have staticly assigned NAT IP addresses.
    • Host from the site wouldnt be able to connect to any host on its remote site as the remote site has only one PAT address facing their way.

If you had 2 ASAs with 8.2 or BELOW software your Static NAT configurations could be for example

Base information

  • Site1: 192.168.1.0/24
  • Site1 NAT: 10.10.1.0/24
  • Site2: 192.168.1.0/24
  • Site2 NAT: 10.10.2.0/24

Site1 Static Policy NAT configuration

access-list L2L-VPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.10.2.0 255.255.255.0

static (inside,outside) 10.10.1.0 access-list L2L-VPN-POLICYNAT

Site2 Static Policy NAT configuration

access-list L2L-VPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

static (inside,outside) 10.10.2.0 access-list L2L-VPN-POLICYNAT

PAT configuration on either end

access-list L2L-VPN-POLICYPAT permit ip 192.168.1.0 255.255.255.0 10.10.x.0 255.255.255.0

global (outside) xxx 10.10.x.1

nat (inside) xxx access-list L2L-VPN-POLICYPAT

If you had 2 ASAs with 8.3 or ABOVE software your Static NAT configurations could be for example (same base information)

Site1 Static Policy NAT configuration

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

subnet 10.10.1.0 255.255.255.0

object network REMOTE

subnet 10.10.2.0 255.255.255.0

static (inside,outside) 1 source static LAN LAN-NAT destination static REMOTE REMOTE

Site2 Static Policy NAT configuration

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

subnet 10.10.2.0 255.255.255.0

object network REMOTE

subnet 10.10.1.0 255.255.255.0

static (inside,outside) 1 source static LAN LAN-NAT destination static REMOTE REMOTE

PAT configuration on either end

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-PAT

host 10.10.x.1

object network REMOTE

subnet 10.10.x.0 255.255.255.0

static (inside,outside) 1 source dynamic LAN LAN-PAT destination static REMOTE REMOTE

- Jouni

0 Helpful

Go to solution
AdamBlackNNT
Level 1
Level 1

‎01-03-2013 07:14 AM

You can actually solve this with dual-NAT entries (NATing yourself AND the remote end) on only one side as well.  I have a client who uses such a configuration when connecting to dozens of remote clients of his; he does it for them so that they don't need to configure anything on their end. 

It's basically just a set of NAT statements - NAT your private addresses when going to the addresses you want to show the remote side as, and NAT the remote addresses when they are going to the NATted address you are giving your side.

0 Helpful

Go to solution
v0r73x117
Level 1
Level 1

‎01-04-2013 02:32 AM

Thanks for the detailed/quick response!

Unfortunately the scenario currently in progress has dictated the IP we need to PAT behind as we don't have a pool to match the number of internal clients (e.g. the /24 to /24) which Im more familiar with. It does sound like the ASA will let us do this though (we will PAT behind one IP as the other side will be a 1-to-1 NAT etc).

Thanks again.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to v0r73x117

‎01-04-2013 02:46 AM

Hi,

What do you mean by the fact that you dont have enough addresses?

Since you are configuring a L2L VPN your NAT IP address/network can be almost anything you like. You can for example NAT a private /24 network to another private /24 network on each side so they dont overlap.

But what you plan to go for should also work.

- Jouni

0 Helpful

Go to solution
v0r73x117
Level 1
Level 1
In response to Jouni Forss

‎01-04-2013 03:52 AM

Sorry perhaps a bit vague on that We only control our side of the VPN, the other site has given us a /29 to use in order to PAT behind a single IP. We will only access their /24 that they have set for static NAT. This was what I wanted to confirm as being possible as I'm only familiar with mapping a /24 to a /24 (or whatever ranges match etc).

Hopefully that makes a little more sense.

0 Helpful
Customers Also Viewed These Support Documents