Cisco ASA 5500 - How can I VPN to a site that has overlapping subnets with my Cisco ASA's local LAN?

I have a Cisco ASA 5505 running 8.2.5 firmware.  I have to VPN with a subnet that has the same IP range as my site, but I need to be able to be the initiator as WELL as the responder.  I'm not sure what the best way to do this is?

My site:
Remote site:

My initial thought was to Policy-Nat both sides with a NAT OVERLOAD, which would work fine, but I need to be able to talk back to (2) specific hosts on that LAN, and that LAN needs to be able to talk back to (2) specific hosts on MY LAN.

MY LAN:, needs to talk to the remote sites IP's:, 10,0,1,101.

My thought was:

NAT my site as:
NAT remote site to me as:

on my side:  
host 1 -
host 2 -

on remote site:

host 1 -
host 2 -

interesting traffic acl:

Normally, I would also include a NAT (inside) 0 statement that matches the interesting traffic ACL so that it does not NAT, but in this case I DO want these hosts to 1-to-1 NAT as,51 to inside, do I skip the NAT (INSIDE) 0?  

Also, does this get complicated if those hosts have any static (inside,outside) relationships with the OUTSIDE interface?  Say, one of them is serving a web server or email server?  I know how to do a P-NAT to send these hosts out as the specific IP's that I want them to send out as:

access-list PNAT-1 permit ip host
access-list PNAT-2 permit ip host
global (outside) 10
global (outside) 11
nat (inside) 10 access-list PNAT-1
nat (inside) 11 access-list PNAT-2

But how can I get,51 to accept inbound traffic on all ports and pass it to inside host,51?  

Once I know how to set site 1 up, the second site is just a reflection of that...but I keep getting stuck on the NAT INBOUND (static inside, outside).  The VPN comes up, but I can't get the hosts to talk.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jkeegan123Author Commented:
both sites are ASA's with the same firmware.
Gareth GudgerSolution ArchitectCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Agreed, static NAT.

Do not accept my answer as it's all in that link.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jkeegan123Author Commented:
What about the static communication between the hosts on each natted subnet? In the article it describes pulling this off with a static inside,outside and an access list for policy nat...but what will the results be when talking to the destination subnet? Will all ips on the destination translated subnet be accessible automatically? I expected having to map 1 to 1...can anyone elaborate? The example is a bit thin on the resulting details.

Gareth GudgerSolution ArchitectCommented:
All IPs should be available. Basically the policy NAT is changing the internal IP range on each router to be something else when it passes through the interfaces. In their example ASA-1 becomes to the other router. And ASA-2 becomes to the other router.
jkeegan123Author Commented:
So it's a wildcard for the last octet? All is transposed to the translated subnet except for the last octet? So translates to, and becomes
Gareth GudgerSolution ArchitectCommented:
Actually not really. Your is being translated to a completely new LAN that doesn't physically exist, if that's the best way to describe it,

So if we use your IPs as an example and bringing in the flavor of this article.

They would make:

Local Site translates to a brand new subnet (assuming that doesn't exist in either environment already).


Remote Site: translates to another brand new subnet, (assuming that also doesn't already exist in either network)

These subnets in essence only really exist on each router and not physically. The VPN tunnel at each end only is aware of either and Once traffic arrives back at each site it is NATed back to its original

Hope this helps.
jkeegan123Author Commented:
But in order to access the hosts on the now translated lan at the destination, what ip do I call? If the destination real ip is, and I'm translating to, do I call,in order to access the sql server on
Jan SpringerCommented:
Simply do not include your inside to their inside in the NONAT and have your encryption domain be your public to their private.

That's it.
jkeegan123Author Commented:
I have just tested this out and I was able to get the tunnel to come up very easily and the subnet appears to be natted on both sides to an alternate subnet, but I am unable to hit any of the hosts that I need to hit on those respective VPNs either on the local side to the remote side or from the remote side to the local side. Does there also need to be a static one to one for specific translated IP on that new translated submit to their individual real I Ip's?
Jan SpringerCommented:
If you have enough spare public IPs for the inside subnet, do a static NAT for the two IPs you need in the VPN and don't include your inside to their inside in your nonat statements.

Your encryption domain can be your entire public subnet.  If you don't have enough public IPs, ask your provider for a /29.
jkeegan123Author Commented:
All public ips in my /29 are in use, how can this be done with the translated ips?
Jan SpringerCommented:
Do you have two public IPs that you can use to statically NAT those two inside IPs needed for the VPN?
Jan SpringerCommented:
static (inside,outside) PUBLIC_IP_1 netmask
static (outside,inside) PUBLIC_IP_1 netmask

static (inside,outside) PUBLIC_IP_2 netmask
static (outside,inside) PUBLIC_IP_2 netmask

access-list VPN extended permit ip YOUR_PUBLIC_SUBNET MASK

crypto map SOME_NAME 10 match address VPN

(changing the "10" above to whatever ruleset you are using).
jkeegan123Author Commented:
Not Public IP's, but in the examples I was natting to, so would become I do a static (inside,outside) access-list PNAT-acl ?
Jan SpringerCommented:
That should work.
jkeegan123Author Commented:
By the way, this never was able to work and now this is coming up again...does anyone have example configurations of this working?  I have to VPN 2 sites with the same PRIVATE subnet.  Given the examples above, I was not able to do:

- Leave out my private subnet from the NONAT and set encryption domain to my private to their public - THIS DIDN'T WORK BECAUSE I NEED TO ACCESS 7 SPECIFIC HOSTS ON THEIR INSIDE NETWORK ACROSS THE VPN.
- PUBLIC NAT to PRIVATE NAT plus VPN - I only have a /29 (5 usable IP addresses) so this will not work for the 7 hosts that I have to access
- In the Cisco example article at the top, it LOOKS like I should be able to do a complete NAT HIDE and wildcard everything except for the last octet, but this did NOT work to pass traffic to specific hosts (even though the tunnel DID come up).

Can we wake this issue up?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.