?
Solved

Overlapping internal subnets on different interfaces to same public interface

Posted on 2009-02-10
8
Medium Priority
?
5,600 Views
Last Modified: 2012-06-27
I have an issue where we have several sites connected to the same Cisco ASA5510 but to different subinterfaces. Some of the subnets use the same subnets (ie. the very popular 192.168.0.0/24) I want to use PAT to let all of these subnets out through the same public interface but recognize that there will be issues with this since the subnets are not unique. To further complicate issues, the subnets are routed to the ASA using a /30-net in each interface. A solution (although not an option in this case since these aren't administered by me) would be to NAT in the router (Router1 and Router2 in the attached picture) and make the subnets unique to the ASA. Are there any chances of making this work with using just one ASA? One option is to get the Security Plus update, and run one security context to NAT and a second security context to PAT, but i'd rather solve it some other way if possible. Is there a possible solution to this either by using policy-nat or by combining NAT and PAT?
asa5510-pat-nat.png
0
Comment
Question by:it-is-me
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23601246
Not that I can think of.  The problem with the ASA is that it needs to know where to route the traffic and you can't have two routes to the same subnet out different interfaces.  NAT'ing or PAT'ing the traffic on Router1 and Router2 before it hits the ASA is really the best solution so the two sites appear to the ASA as unique address space.
0
 

Author Comment

by:it-is-me
ID: 23611977
Hello JFrederick29 and thanks for your answer. Let me rephrase this a bit since i think i've come to terms with the fact that i cannot do all of this in the same ASA :-) Let's just say I want to do the "first" part (or the part closest to the customer) in the ASA, ie. I want to do a static NAT of all of the subnets on each vlan interface to be able to reach these on unique subnets from the outside, where the static NAT is based not just on source and destination IP (as with policy NAT) but also on source interface. In the attached picture with the two subnets on 192.168.0.0/24, they are uniquely distinguishable through the fact that they exist on different interfaces, if I could just tell the ASA in some way that "traffic to subnet 10.0.0.0/24 should be statically NAT:ed to 192.168.0.0/24 out interface 1, whereas traffic to subnet 10.0.1.0/24 should be statically NAT:ed to 192.168.0.0/24 out interface 2". I do this in a linux router today but am looking to replace it with an ASA. If the above is possible, i could place a second unit (security context or phisycal) to take care of the PAT-part since it only need to know about the translated, unique subnets (ie. 10.0.0.0/24 and 10.0.1.0/24). It looks like policy NAT can _almost_ do this if I was only able to specify not just the src/dst-subnets but also the src-interface!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23612880
Unfortunately, not that I am aware of based on the fact that the ASA has one routing table (in single context mode) and you can't specify a route to the same subnet out two interfaces.  This is where the problem lies with the ASA.  If you use multiple contexts, you could setup one context for Network1 and a second context for Network2.  Each context would have its own routing table, NAT, access-list config, etc...  Other than that, doing NAT on Router1 and Router2 before it hits the ASA is really the only other option I can think of.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:it-is-me
ID: 23615309
Would it be possible to do the same but using an isr2800-series router that is able to do policy routing? Please see the newly attached map.
In the attached scenario, a packet sent from Router4 to Router3 with dst IP 10.0.0.1 would be translated to 192.168.0.1 on inside1 and a packet from the Router4 to Router3 with dst IP 10.0.1.1 would be translated to 192.168.0.1 on inside2. Packets sent the other way (from either Router1 or Router2) to Router3 with src IP in the 192.168.0.0/24 subnet would be translated to 10.0.0.0/24 and 10.0.1.0/24, respectively. Thanks for bearing with me! Just tell me to give it a rest and I'll put my effort into convincing the owners of the Router1 and Router2 (there are actually 27 of those, hence the security context-solution is not really an option due to $$$) that they need to do the NAT instead... :-)
isr-pbr-route-nat.png
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23618223
Again, routing is going to get you here with the router.  The problem is for inbound traffic from Router4, the router will first NAT and then route so if a connection is made to 10.0.0.1, the traffic is translated to 192.168.0.1 and the router then looks up the route to 192.168.0.1.  This is where you run into problems with the overlapping subnets.  What you might be able to do is look into using VRF's (like MPLS VPN) on the router to create a separate routing and NAT table for each customer.  This obviously adds complexity and the simpler approach would be NAT on Router1 and Router2.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23658800
it-is-me,

Instead of closing the question, how about accepting one of my comments as the answer.  I know you are closing your account but I put a good amount of time and effort into this question.  Points are the only compensation we get for doing this...
0
 

Author Closing Comment

by:it-is-me
ID: 31547750
Hi JFrederick29, sorry i forgot to accept your answer, of course you should get recognition for your answer. By the way i have solved this by putting an isr2811 between the asa and the customer routers. The isr takes care of mapping all customer subnets (accept a full 192.168.0.0/16 on all vlan interfaces) and NAT:ing them out on a unique 10.[0-100].0.0/16-subnet the other way round. The NVI feature in conjunction with VRF makes this a pretty simple solution to setup, relevant entries:

!
ip source-route
!
!
ip cef
!
!        
ip vrf test
!        
ip vrf test2
!        
interface FastEthernet0/0
 description Outside interface to ASA device doing the NAT
 ip address 172.16.0.2 255.255.255.252
 ip nat enable
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 no ip route-cache cef
 duplex auto
 speed auto
!
interface FastEthernet0/1.20
 encapsulation dot1Q 888
 ip vrf forwarding test
 ip address 172.16.0.5 255.255.255.252
 ip nat enable
!
interface FastEthernet0/1.40
 encapsulation dot1Q 999
 ip vrf forwarding test2
 ip address 172.16.0.9 255.255.255.252
 ip nat enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.0.0.0 255.255.0.0 172.16.0.6
ip route 10.1.0.0 255.255.0.0 172.16.0.10
ip route vrf test 0.0.0.0 0.0.0.0 172.16.0.1 global
ip route vrf test 192.168.0.0 255.255.0.0 172.16.0.6
ip route vrf test2 0.0.0.0 0.0.0.0 172.16.0.1 global
ip route vrf test2 192.168.0.0 255.255.0.0 172.16.0.10
!
!
no ip http server
ip nat source static network 192.168.0.0 10.0.0.0 /16 vrf test
ip nat source static network 192.168.0.0 10.1.0.0 /16 vrf test2
!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23658960
Awesome, nice job and thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question