topic Re: returning packet going back the way they came in General Topics

returning packet going back the way they came

Alex_Samad — Sun, 15 Oct 2023 04:15:54 GMT

I have need to connect to a new site - they have over lapping IP address ranges.

I have agreed to re number - all good. want to setup a IPSEC tunnel and I would like to SNAT all traffic from this new site

so lets that I am using 192.168.10-20.0/24 and the space is 192.168.240-250.0/24

So its going to take a while to get it all renumbered

for this lets say I have

192.168.10.0 - vlan 10

192.168.11.0 - vlan 11

192.168.12.0 - vlan 12

192.168.13.0 - vlan 13

192.168.14.0 - vlan 14

and I have added a second address range onto vlan14

192.168.244.0 vlan14

on the ipsec tunnel we are using 10.0.0.0/30 .1 their end and .2 my end

lets say they have a device on their end 192.168.12.50 thats trying to connect to my device 192.244.50 - lets say ssh

packet coming in on the ipsec tunnel comes in s address of 192.168.12.50 and I snat that to 10.0.0.1

.1 is the default gateway and the PA is .1

so return packet goes 192.244.50 return to 10.0.0.1 , the pa un snat it back to 192.168.12.50, now I want this packet to go back over the ipsec tunnel - can I use PBF will that work

remember I also want packets from 192.244.50 to 192.168.12.50 to not go out of the ipsec tunnel but out vlan 12

On linux I can do this I can tag packet flows and route according to their tag - quick read of PBF seems to sugget is might help I set up PBF from the ipsec tunnel to 192.244.50 and tall it to use the same route back !!

Or I can setup a new vsys hide all of the stuff there and do the snat there and then route between vsys...
how easy is it to convert a single setup on a 5220 to a multi vsys setup !!! and how do I route between vsys - haven't found that easy.

is doing a vsys the only way to do a vrf / private routing table ??

Re: returning packet going back the way they came

Raido_Rattameister — Sun, 15 Oct 2023 16:40:56 GMT

With overlapping subnets at both sides you need NAT policies on both side and different subnet in routing.

Example

Site 1 - 192.168.0.0/16

Site 2 - 192.168.0.0/16

To access resources from site 1 to site 2 you need to use fake IP let's say 10.2.0.0/16

So you route 10.2.0.0/16 into tunnel towards site 2.

Firewall on site 2 side applies DNAT 10.2.0.0/16 > 192.168.0.0/16

To access resouces form site 2 to site 1 you use different fake IP let's say 10.1.0.0/16

So you route 10.1.0.0/16 into tunnel from site 2 towards site 1.

Firewall on site 1 side applies DNAT 10.1.0.0/16 > 192.168.0.0/16

Pay attention that unless you add static route for 10.1.0.0/16 and 10.2.0.0/16 towards inside zones they are routed to WAN so NAT rules must have WAN zone as destination for them to match.

Re: returning packet going back the way they came

Alex_Samad — Sun, 15 Oct 2023 20:16:07 GMT

Yes got that if I can nat on both side - if I can't I want to do it all on one side. with a linux box I can do it all on the linux box.

is it not possible with PA

not even with vsys