04-18-2021 11:29 PM
@DongQuin suche case wher you have complete overlapping between local and remote networks, both sides of the tunnel must apply natting. Which means:
- Each side will use the remote NAT network (users should know the IP 2.2.2.2 in order to connect to remote side)
- Each side should apply NAT for its local network
So I assume that the config on ASA side will be handled and we speaking only from your side. You will need:
- static route for remote nat network pointing to tunnel interface (in your case route for 2.2.2.2 to tunnel.1)
- NAT rule maching local network/host 10.10.10.10 from your internal zone, to vpn zone (use separate zone instead of your internet untrust/outside zone) and applying static source NAT. You can enable the bi-directional option to automatically create NAT rule when remote side needs to initiate traffic to you.
- Or if you don't use bi-directional in the source nat, you need to create additional nat rule matching source remote nat network, to your local nat network applying destination nat (src: 2.2.2.2 to 1.1.1.1, apply destination nat to 10.10.10.10)
- For the rules you need to remember that security rules are using Post-NAT zones and Pre-NAT address: This means that for the
- outbound rule you need to allow your local address to remote nat ip
- inbound rule you need to allow remote nat address to your local nat address
