https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000311#M122782 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/692609599">@D.Callahan</a>,</P> <P>To expand on what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a> mentioned; you can either set this up as is and utilize NAT to get around the conflicting subnets, or you take the easier route and change one side. It's easiest in a lot of environments to just forgo the overlapping subnets if possible so you don't have to worry about setting specific DNS entries or the like up to direct traffic from one network to the next.</P> <P>&nbsp;</P> <P>If you need to deal with the overlapping subnets, and it looks like you just need access to a single node, that would be done via NAT to remove the conflict. There used to be a good KB about this that appears to have been removed, but <A href="https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/" target="_self">THIS</A> describes the process perfectly fine with a quick search. That should help get you in the right direction.</P> Tue, 07 Jan 2025 22:53:02 GMT BPry 2025-01-07T22:53:02Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000302#M122776 <P>Quick question on setting a site to site vpn, using tunnel mode. If I have a site "A" peer going and connecting with a site "B" peer for a VPN, can both sites have the same IP address subnet, or will that conflict?&nbsp;</P> <P>&nbsp;</P> <P>Scenario:</P> <P>&nbsp; Site A: 192.168.20.5/24 (Local LAN)</P> <P>&nbsp; Site B: 192.168.20.88/24 (Local LAN)</P> <P>&nbsp;</P> <P>Would a NAT be required within the Palo Alto Firewall if I did not change one of sites subnets?</P> Tue, 07 Jan 2025 21:07:34 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000302#M122776 D.Callahan 2025-01-07T21:07:34Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000306#M122779 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/692609599">@D.Callahan</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes, you will need to create a unique subnet that doesn't overlap with any of your managed subnets, make sure you point routing to those new subnets via the tunnel, and create the appropriate NAT policies.&nbsp;</P> Tue, 07 Jan 2025 21:49:18 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000306#M122779 JayGolf 2025-01-07T21:49:18Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000311#M122782 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/692609599">@D.Callahan</a>,</P> <P>To expand on what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a> mentioned; you can either set this up as is and utilize NAT to get around the conflicting subnets, or you take the easier route and change one side. It's easiest in a lot of environments to just forgo the overlapping subnets if possible so you don't have to worry about setting specific DNS entries or the like up to direct traffic from one network to the next.</P> <P>&nbsp;</P> <P>If you need to deal with the overlapping subnets, and it looks like you just need access to a single node, that would be done via NAT to remove the conflict. There used to be a good KB about this that appears to have been removed, but <A href="https://faatech.be/palo-alto-networks-ipsec-site-to-site-with-overlapping-subnets-networks/" target="_self">THIS</A> describes the process perfectly fine with a quick search. That should help get you in the right direction.</P> Tue, 07 Jan 2025 22:53:02 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000311#M122782 BPry 2025-01-07T22:53:02Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000673#M122794 <P>All,</P> <P>&nbsp;&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a> and <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> Thank you for the insight on this subject matter. For the one side NAT, if I choose to add more remote sites in the future then would I have to create a one-site NAT to each of the remote tunnels?&nbsp;</P> <P>&nbsp;</P> <P>Thanks again, this was very helpful.&nbsp;</P> Wed, 08 Jan 2025 14:21:19 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1000673#M122794 D.Callahan 2025-01-08T14:21:19Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1001986#M122816 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/692609599">@D.Callahan</a>&nbsp;,</P> <P>&nbsp;</P> <P>No prob! As far as adding additional remote sites in the future, I would recommend to ensure CIDRs are free to use and not overlapping. This way you don't have to rely on setting up NAT and you can perform full routing. I would definitely reserve some space within your network for remote sites.&nbsp;</P> Thu, 09 Jan 2025 17:39:27 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1001986#M122816 JayGolf 2025-01-09T17:39:27Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1002132#M122817 <P>Sounds good, thanks JayGolf.&nbsp;</P> Thu, 09 Jan 2025 21:07:19 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn/m-p/1002132#M122817 D.Callahan 2025-01-09T21:07:19Z