We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Overlapping internal subnets on different interfaces to same public interface

it-is-me
it-is-me asked
on
Medium Priority
5,888 Views
Last Modified: 2012-06-27
I have an issue where we have several sites connected to the same Cisco ASA5510 but to different subinterfaces. Some of the subnets use the same subnets (ie. the very popular 192.168.0.0/24) I want to use PAT to let all of these subnets out through the same public interface but recognize that there will be issues with this since the subnets are not unique. To further complicate issues, the subnets are routed to the ASA using a /30-net in each interface. A solution (although not an option in this case since these aren't administered by me) would be to NAT in the router (Router1 and Router2 in the attached picture) and make the subnets unique to the ASA. Are there any chances of making this work with using just one ASA? One option is to get the Security Plus update, and run one security context to NAT and a second security context to PAT, but i'd rather solve it some other way if possible. Is there a possible solution to this either by using policy-nat or by combining NAT and PAT?
asa5510-pat-nat.png
Comment
Watch Question

Top Expert 2009

Commented:
Not that I can think of.  The problem with the ASA is that it needs to know where to route the traffic and you can't have two routes to the same subnet out different interfaces.  NAT'ing or PAT'ing the traffic on Router1 and Router2 before it hits the ASA is really the best solution so the two sites appear to the ASA as unique address space.

Author

Commented:
Hello JFrederick29 and thanks for your answer. Let me rephrase this a bit since i think i've come to terms with the fact that i cannot do all of this in the same ASA :-) Let's just say I want to do the "first" part (or the part closest to the customer) in the ASA, ie. I want to do a static NAT of all of the subnets on each vlan interface to be able to reach these on unique subnets from the outside, where the static NAT is based not just on source and destination IP (as with policy NAT) but also on source interface. In the attached picture with the two subnets on 192.168.0.0/24, they are uniquely distinguishable through the fact that they exist on different interfaces, if I could just tell the ASA in some way that "traffic to subnet 10.0.0.0/24 should be statically NAT:ed to 192.168.0.0/24 out interface 1, whereas traffic to subnet 10.0.1.0/24 should be statically NAT:ed to 192.168.0.0/24 out interface 2". I do this in a linux router today but am looking to replace it with an ASA. If the above is possible, i could place a second unit (security context or phisycal) to take care of the PAT-part since it only need to know about the translated, unique subnets (ie. 10.0.0.0/24 and 10.0.1.0/24). It looks like policy NAT can _almost_ do this if I was only able to specify not just the src/dst-subnets but also the src-interface!
Top Expert 2009

Commented:
Unfortunately, not that I am aware of based on the fact that the ASA has one routing table (in single context mode) and you can't specify a route to the same subnet out two interfaces.  This is where the problem lies with the ASA.  If you use multiple contexts, you could setup one context for Network1 and a second context for Network2.  Each context would have its own routing table, NAT, access-list config, etc...  Other than that, doing NAT on Router1 and Router2 before it hits the ASA is really the only other option I can think of.

Author

Commented:
Would it be possible to do the same but using an isr2800-series router that is able to do policy routing? Please see the newly attached map.
In the attached scenario, a packet sent from Router4 to Router3 with dst IP 10.0.0.1 would be translated to 192.168.0.1 on inside1 and a packet from the Router4 to Router3 with dst IP 10.0.1.1 would be translated to 192.168.0.1 on inside2. Packets sent the other way (from either Router1 or Router2) to Router3 with src IP in the 192.168.0.0/24 subnet would be translated to 10.0.0.0/24 and 10.0.1.0/24, respectively. Thanks for bearing with me! Just tell me to give it a rest and I'll put my effort into convincing the owners of the Router1 and Router2 (there are actually 27 of those, hence the security context-solution is not really an option due to $$$) that they need to do the NAT instead... :-)
isr-pbr-route-nat.png
Top Expert 2009
Commented:
Again, routing is going to get you here with the router.  The problem is for inbound traffic from Router4, the router will first NAT and then route so if a connection is made to 10.0.0.1, the traffic is translated to 192.168.0.1 and the router then looks up the route to 192.168.0.1.  This is where you run into problems with the overlapping subnets.  What you might be able to do is look into using VRF's (like MPLS VPN) on the router to create a separate routing and NAT table for each customer.  This obviously adds complexity and the simpler approach would be NAT on Router1 and Router2.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2009

Commented:
it-is-me,

Instead of closing the question, how about accepting one of my comments as the answer.  I know you are closing your account but I put a good amount of time and effort into this question.  Points are the only compensation we get for doing this...

Author

Commented:
Hi JFrederick29, sorry i forgot to accept your answer, of course you should get recognition for your answer. By the way i have solved this by putting an isr2811 between the asa and the customer routers. The isr takes care of mapping all customer subnets (accept a full 192.168.0.0/16 on all vlan interfaces) and NAT:ing them out on a unique 10.[0-100].0.0/16-subnet the other way round. The NVI feature in conjunction with VRF makes this a pretty simple solution to setup, relevant entries:

!
ip source-route
!
!
ip cef
!
!        
ip vrf test
!        
ip vrf test2
!        
interface FastEthernet0/0
 description Outside interface to ASA device doing the NAT
 ip address 172.16.0.2 255.255.255.252
 ip nat enable
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 no ip route-cache cef
 duplex auto
 speed auto
!
interface FastEthernet0/1.20
 encapsulation dot1Q 888
 ip vrf forwarding test
 ip address 172.16.0.5 255.255.255.252
 ip nat enable
!
interface FastEthernet0/1.40
 encapsulation dot1Q 999
 ip vrf forwarding test2
 ip address 172.16.0.9 255.255.255.252
 ip nat enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.0.0.0 255.255.0.0 172.16.0.6
ip route 10.1.0.0 255.255.0.0 172.16.0.10
ip route vrf test 0.0.0.0 0.0.0.0 172.16.0.1 global
ip route vrf test 192.168.0.0 255.255.0.0 172.16.0.6
ip route vrf test2 0.0.0.0 0.0.0.0 172.16.0.1 global
ip route vrf test2 192.168.0.0 255.255.0.0 172.16.0.10
!
!
no ip http server
ip nat source static network 192.168.0.0 10.0.0.0 /16 vrf test
ip nat source static network 192.168.0.0 10.1.0.0 /16 vrf test2
!
Top Expert 2009

Commented:
Awesome, nice job and thanks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.