How can I NAT traffic for one VPN to come from a different IP on Cisco ASA?

Question

I have a Cisco ASA firewall between our private network (10.1.0.0/16) and the outside world, and multiple VPNS going to client sites.

Existing:

[10.1.0.2...] = source client
       |
[10.1.0.1 ASA <public>]---{other VPNs...}
                  |
                {VPN}
                  |
              [<public> Router <private>]
                                   |
                              [<private>] = destination server

I now need to make a connection to someone else to talk to servers within their organisation, but to avoid conflicting with other parts of their network need my IPs to look as though they are in the range 192.168.50.0/24, rather than 10.1.0.0/16.

Desired (from the point of view of the remote network):

[192.168.50.2...] = source client
       |
     [<?> ASA <public>]
                  |
                {VPN}
                  |
              [<public> Router <private>]
                                   |
                              [<private>] = destination server

I still need to keep our existing configuration for all other VPNs, so haven't got the option of re-IPing our internal network, and would like to create some NAT rules in the Cisco instead.

What do I need to configure to achieve this scenario, please?

Answer 1

Iain,

What you are referring to is pretty common...you have overlapping internal subnets that won't pass traffic properly if setup on a normal IPSEC VPN tunnel (site to site).

The idea is to do a Policy NAT for the VPN traffic to change your 10.1.0.0/16 to 192.168.50.0/24 if it is tunneling over the VPN.

Cisco has a great writeup on how to do this: LAN-to-LAN VPN with overlapping subnets

There's a blog post here as well if you are using a later ASA version: ASA VPN with overlapping subnets

Hope that helps.