https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573619#M115322 <P>Hi,</P> <P>&nbsp;</P> <P>We have a Palo VM with advanced routing enabled.</P> <P>&nbsp;</P> <P>We have 2 customers with overlapping networks (172.16.0.0/24). Those networks must be accessible by the same servers (in connected network 10.1.1.0/24).<BR />Customer1 network is routed via a static route to another router, Customer2 network is behind a IPSec VPN configured on the Palo VM.</P> <P>We can't ask any customer to add NAT rules on their side.</P> <P>&nbsp;</P> <P>The first solution that came in our mind is to use destination NAT in order to hide the 2nd customer network with another one (10.2.2.0/24) on our side.</P> <P>&nbsp;</P> <P>What we tried to do is to configure a 2nd logical router (LR2) for customer 2, configure the IPSec tunnel interface there it, add Customer2 network 172.16.0.0/24 route via tunnel1 and to route 10.1.1.0/24 back to main logical router (LR1). On LR1 we have a route for the translated Customer2 network (10.2.2.0/24) via LR2.</P> <P>&nbsp;</P> <P>To access Customer2 network from servers we would use 10.2.2.0/24 network and translate it to 172.16.0.0/24 when it leaves LR2 via VPN.</P> <P>&nbsp;</P> <P>It doesn't work because the NAT rule is applied before the routing decision is made because the destination is translated to 172.16.0.0/24 before trafic being handle by LR2 and so is routed to Customer1 instead of Customer2.</P> <P>&nbsp;</P> <P>Do you have any idea how we can get around these limitations while still keeping traffic on the same firewall?</P> <P>&nbsp;</P> <P>Thanks.</P> <P>Regards,</P> <P>Emilien RICHARD</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo.jpg" style="width: 880px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56670iA6F10D8076191128/image-dimensions/880x452/is-moderation-mode/true?v=v2" width="880" height="452" role="button" title="palo.jpg" alt="palo.jpg" /></span></P> <P> </P> <P>&nbsp;</P> Fri, 19 Jan 2024 11:08:11 GMT EmilienRichard 2024-01-19T11:08:11Z https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573619#M115322 <P>Hi,</P> <P>&nbsp;</P> <P>We have a Palo VM with advanced routing enabled.</P> <P>&nbsp;</P> <P>We have 2 customers with overlapping networks (172.16.0.0/24). Those networks must be accessible by the same servers (in connected network 10.1.1.0/24).<BR />Customer1 network is routed via a static route to another router, Customer2 network is behind a IPSec VPN configured on the Palo VM.</P> <P>We can't ask any customer to add NAT rules on their side.</P> <P>&nbsp;</P> <P>The first solution that came in our mind is to use destination NAT in order to hide the 2nd customer network with another one (10.2.2.0/24) on our side.</P> <P>&nbsp;</P> <P>What we tried to do is to configure a 2nd logical router (LR2) for customer 2, configure the IPSec tunnel interface there it, add Customer2 network 172.16.0.0/24 route via tunnel1 and to route 10.1.1.0/24 back to main logical router (LR1). On LR1 we have a route for the translated Customer2 network (10.2.2.0/24) via LR2.</P> <P>&nbsp;</P> <P>To access Customer2 network from servers we would use 10.2.2.0/24 network and translate it to 172.16.0.0/24 when it leaves LR2 via VPN.</P> <P>&nbsp;</P> <P>It doesn't work because the NAT rule is applied before the routing decision is made because the destination is translated to 172.16.0.0/24 before trafic being handle by LR2 and so is routed to Customer1 instead of Customer2.</P> <P>&nbsp;</P> <P>Do you have any idea how we can get around these limitations while still keeping traffic on the same firewall?</P> <P>&nbsp;</P> <P>Thanks.</P> <P>Regards,</P> <P>Emilien RICHARD</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo.jpg" style="width: 880px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56670iA6F10D8076191128/image-dimensions/880x452/is-moderation-mode/true?v=v2" width="880" height="452" role="button" title="palo.jpg" alt="palo.jpg" /></span></P> <P> </P> <P>&nbsp;</P> Fri, 19 Jan 2024 11:08:11 GMT https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573619#M115322 EmilienRichard 2024-01-19T11:08:11Z https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573715#M115339 <P>Well forwarding look happens first and than the NAT lookup probably an issue with the route.<BR /><BR />In the slowpath stage of the life of packet first forwarding look happen than nat look for the destination nat.<BR /><BR /></P> Fri, 19 Jan 2024 21:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573715#M115339 msyeedrafiqi 2024-01-19T21:47:34Z https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573784#M115351 <P>&nbsp;</P> <P>Hi</P> <P>&nbsp;</P> <P>Yes, there is a first route lookup then destination NAT rule applies but then another route lookup is done with the translated address. That’s what poses a problem to us. We are looking for another way to do this kind of configuration, have you other ideas ?</P> <P>&nbsp;</P> <P>Thanks<BR />see : <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_6364.jpeg" style="width: 998px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56727iBDD43CAA4EB5D82B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="IMG_6364.jpeg" alt="IMG_6364.jpeg" /></span></P> Sat, 20 Jan 2024 12:58:58 GMT https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/573784#M115351 EmilienRichard 2024-01-20T12:58:58Z https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/574181#M115414 <P>Hello,</P> <P>Hopefully I understood the question. Check out this article on overlapping subnets.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSGCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSGCA0</A></P> <P>&nbsp;</P> <P>Regards,</P> Tue, 23 Jan 2024 22:28:31 GMT https://live.paloaltonetworks.com/t5/general-topics/advanced-routing-nat-for-overlapping-networks-between-2-logical/m-p/574181#M115414 OtakarKlier 2024-01-23T22:28:31Z