02-07-2018 12:28 PM
Hello I am looking to understand if what I am trying to accomplish will work. Given a PAN connecting to an ASA using a L2L IPSec VPN Tunnel to access two distinct ip addresses behind the ASA. Now these IP Addresses are duplicated on the LAN the PAN connects, essentially overlapping. I know what to do in an ASA. But for the Pan I want my logic checked. The goal here is two use two ip addresses on the PAN Side that doesnt overlap so users can access the devices behind the ASA. I would do a 1to1 NAT for each and I hope in theory that the order of operations (anyone ahve this?) would allow for NAT before the packets are placed in the tunnel. The tunnel I would build like any other, using host routes to the IPs behind the ASA. Am I correct in how I would envision this working? Are there any gotchas or caveats for this use case?
Thank you
02-07-2018 02:31 PM
Hello,
Is what you are experiencing similar to the following?
Regards,
02-07-2018 01:02 PM
Never experienced this but I think source NAT will do the trick.
02-07-2018 02:31 PM
Hello,
Is what you are experiencing similar to the following?
Regards,
02-08-2018 03:03 AM
In case of overlapping IP addresses on both sites, and you only need to make a unidirectional connection (from you to the remote servers) you would set up source nat on your end, and destination nat on the remote end:
your sources would hide behind a subnet/IP not existing on the remote site so they can easily route back reply packets into the tunnel while the remote end would apply destination translation on your incoming packets to hit the desired 2 servers (if they ever need to perform maintenance or replace the servers this will also grant them direct control to change the destinations)
your clients would be connecting to fictitious destination IPs you can static route into the tunnel
if you have an internal DNS server you could give these IP addresses a friendly hostname
02-08-2018 11:24 AM
Thank you all for your replies and this like was exactly what I needed!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
