How to Route Traffic between Two Overlapping Network Host in Virtual Routing

You can configure hosts on the virtual routers that have same network address. If the hosts want to communicate, you can configure twice NAT. This example provides the procedure to configure the NAT rules to manage the overlapping network host.

In the following example, two hosts Host A and Host B belong to different virtual routers: VRG (interface vrg-inside), VRB (interface vrb-inside) respectively with the same subnet 10.1.1.0/24. For both the hosts to communicate, create a NAT policy where, VRG-Host interface object would use a mapped NAT address - 20.1.1.1, and VRB-Host interface object would use a mapped NAT address - 30.1.1.1. Thus, Host A uses 30.1.1.1 to communicate to Host B; Host B uses 20.1.1.1 to reach Host A.

Before you begin

This example assumes that you have already configured:

  • vrg-inside and vrb-inside interfaces are associated with virtual routers: VRG and VRB respectively and vrg-inside and vrb-inside interfaces configured with same subnet address (say, 10.1.1.0/24).

  • Interfaces zones VRG-Inf, VRB-Inf created with vrg-inside and vrb-inside interfaces respectively.

  • Host A in VRG with vrg-inside as default gateway; Host B in VRB with vrb-inside as default gateway.

Procedure


Step 1

Create the NAT rule to handle traffic from Host A to Host B. Choose Devices > NAT.

Step 2

Click New Policy > Threat Defense NAT.

Step 3

Enter a NAT policy name, and select the threat defense device. Click Save.

Step 4

In the NAT page, click Add Rule and define the following:

  • NAT Rule—Select Manual NAT Rule.

  • Type—Select Static.

  • Insert—Select Above, if any NAT rule exists.

  • Click Enabled.

  • In Interface Objects, select VRG-Inf object and click Add to Source (If the object isn’t available, create one in Object > Object Management > Interface), and select VRB-Inf object and click Add to Destination.

  • In Translation, select the following:

    • Original Source, select vrg-inside.

    • Original Destination, click Add and define object VRB-Mapped-Host with 30.1.1.1. Select VRB-Mapped-Host.

    • Translated Source, click Add and define object, VRG-Mapped-Host with 20.1.1.1. Select VRG-Mapped-Host.

    • Translated Destination, select vrb-inside as shown in the following figure:

When you run the show nat detail command on the threat defense device, you will see an output similar to this:
firepower(config-service-object-group)# show nat detail
Manual NAT Policies (Section 1)
1 (2001) to (3001) source static vrg-inside VRG-MAPPED-HOST destination static VRB-MAPPED-HOST vrb-inside
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.1.1.1/24, Translated: 20.1.1.1/24
Destination - Origin: 30.1.1.1/24, Translated: 10.1.1.1/24

Step 5

Click Ok.

Step 6

Click Save.

The NAT rule looks like this:

When you deploy the configuration, a warning message appears: