https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17957#M13070 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Your NAT policies should like below:</P><P><IMG class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/12175_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Make sure that routing for 192.168.98.5/32 and 172.16.0.0/16 points to tunnel interface.</P><P>Assuming Out destination zone points to Tunnel interface.</P><P></P><P>Your security policies should like below:</P><P><IMG class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/12185_pastedImage_1.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Tue, 18 Mar 2014 04:02:24 GMT hyadavalli 2014-03-18T04:02:24Z https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17954#M13067 <HTML><HEAD></HEAD><BODY><P class="x_MsoNormal" style="margin-bottom: 10pt;"><STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">scenario</SPAN></STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"></SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">Site A</SPAN></STRONG></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">Any equipment IPSec firewall<BR />internal interface: 172.16.0.1 255.255.0.0<BR />external Interface:20.1.1.10<BR />Internal Network: 172.0.0.0/8</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">VPN proxy ID</SPAN></STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"><BR /><BR />Local: 172.16.0.0/16<BR />Remote: 192.168.98.5/32</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">Site B</SPAN></STRONG></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">Equipment PA-2050<BR />internal interface: 172.22.6.245<BR />external Interface: 20.1.1.20<BR />Internal Network: 172.0.0.0/8</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">VPN proxy IP<BR /></SPAN></STRONG><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"><BR />Local: 172.22.0.0/16<BR />Remote: 192.168.98.5</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"><BR />A host 172.16.0.x in Site A needs access server (172.22.6.244) in Site B by IPSec VPN Tunnel </SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">Problem 1: The internal networks in Site A has a Vlan with 172.22.0.0/8<BR />Problem 2: The internal networks in Site B has a Vlan with 172.16.0.0/24</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">How it works today with Cisco ASA: <BR /><BR />- The host in site A initiates connection to the IP 192.168.98.5 <BR />- The PA-2050 perfoms dynamic NAT with source 172.16.0.0/24 para o IP 192.168.98.5<BR />- O PA-2050 perfoms a static NAT with source 172.22.6.244 para 192.168.98.5</SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"><BR /></SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;">NAT ASA<BR /></SPAN></P><P class="x_MsoNormal" style="margin-bottom: 10pt;"><SPAN lang="EN" style="line-height: 115%; font-family: 'Calibri','sans-serif'; font-size: 11pt;"><IMG 12133="" /></SPAN></P><P></P><P>NAT PA</P><P></P><P><IMG __jive_id="12129" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/12129_pastedImage_3.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Topology</P><P></P><P></P><P></P><P></P><P></P><P><SPAN style="font-size: 12pt;">My problem</SPAN><SPAN style="font-size: 12pt;"> <SPAN class="hps">is</SPAN> <SPAN class="hps">that</SPAN> <SPAN class="hps">NAT</SPAN> <SPAN class="hps">not</SPAN> <SPAN class="hps">return</SPAN> <SPAN class="hps">this</SPAN> <SPAN class="hps">worked</SPAN> <SPAN class="hps">Static</SPAN> <SPAN class="hps">NAT</SPAN> <SPAN class="hps">not</SPAN> <SPAN class="hps">working properly</SPAN> <SPAN class="hps">in</SPAN> <SPAN class="hps">this</SPAN> </SPAN><SPAN style="font-size: 12pt;">Paloalto!!!!!!!!<IMG __jive_id="_topologia1.png'" style="width: 620px; height: 344px;" /></SPAN></P></BODY></HTML> Fri, 14 Mar 2014 13:36:52 GMT https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17954#M13067 Netsul 2014-03-14T13:36:52Z https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17955#M13068 <HTML><HEAD></HEAD><BODY><P>Hello Netsul,</P><P>Could you please follow the doc <A href="https://live.paloaltonetworks.com/docs/DOC-1594">Configuring route based IPSec with overlapping networks</A> for the same. Specially the NAT part of the PAN firewall.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Mar 2014 16:20:17 GMT https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17955#M13068 HULK 2014-03-14T16:20:17Z https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17956#M13069 <HTML><HEAD></HEAD><BODY><P><SPAN class="hps">Hi</SPAN> </P><P></P><P><SPAN class="hps">Hulk</SPAN> <SPAN class="hps">verificaquei</SPAN> <SPAN class="hps">the document</SPAN> <SPAN class="hps">did not work</SPAN> <SPAN class="hps">over</SPAN> <SPAN class="hps">NAT</SPAN> <SPAN class="hps">return</SPAN></P></BODY></HTML> Fri, 14 Mar 2014 16:52:45 GMT https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17956#M13069 Netsul 2014-03-14T16:52:45Z https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17957#M13070 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Your NAT policies should like below:</P><P><IMG class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/12175_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Make sure that routing for 192.168.98.5/32 and 172.16.0.0/16 points to tunnel interface.</P><P>Assuming Out destination zone points to Tunnel interface.</P><P></P><P>Your security policies should like below:</P><P><IMG class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/12185_pastedImage_1.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Tue, 18 Mar 2014 04:02:24 GMT https://live.paloaltonetworks.com/t5/general-topics/need-to-configure-ip-sec-vpn-between-2-sites-with-overlapping/m-p/17957#M13070 hyadavalli 2014-03-18T04:02:24Z