topic Re: Overlapping Subnets and NAT in General Topics

Overlapping Subnets and NAT

BrettBrown — Tue, 28 Mar 2017 04:11:14 GMT

Hello,

I have a new client we have a direct L3 link with. Our firewall has an existing directly connected interface on the 10.10.0.0/16 subnet. Our client also has a subnet of 10.10.0.0/16 which we need to get to.

During my initial testing I decided just to access a /24 of the clients /16. I am natting the client subnet of 10.10.101.0/24 to 172.17.101.0/24.

I have a NAT policy with a source of another of my internal subnets (not the 10.10.0.0/16), destination of 172.17.101.0/24, source nat to a synamic ip+port, destination nat to 10.10.101.0/24.

When the destination NAT kicks in it checks the source VR for its route which is the directly connected interface and attempts route it locally. If I remove the destination nat it hits the destination interface but with the wrong destination address.

Round 2:

I removed the customer config from the current VR and put them into a new VR, setup vr to vr routes. Same issue,

Does anyone know how i can get around this without using a separate VSYS (i havent tried yet, not 100% sure it will work)?

Re: Overlapping Subnets and NAT

reaper — Tue, 28 Mar 2017 12:17:27 GMT

is your customer capable of setting up NAT in their environment ?

you could route 192.168.0.0/24 to their gateway and they could nat it to a /24 of their choice

if there is a specific segment you need to be able to reach at their end you could use policy based forwarding as this redirects packets before they hit the routing table

Re: Overlapping Subnets and NAT

BrettBrown — Wed, 29 Mar 2017 03:54:58 GMT

Really trying to avoid having the customer setup something on their end, but yes it is a solution.

I dont think PBF will work as the lookup for the customer 10.10.0.0/16 will break connections to the internal 10.10.0.0/16 network.

Re: Overlapping Subnets and NAT

reaper — Wed, 29 Mar 2017 12:39:56 GMT

yeah PBF would only work for a select few ip's...

a very elaborate solution is to set up a second vsys with 2 interfaces (these can be subinterfaces)

it would need an 'internal' interface connected to your dmz or untrust so you can easily route and NAT, on a subnet of 172.16.0.0/30 for example

and an interface leading out to the customer's 10.10.0.0/16

vsys2 would have static NAT set for 192.168.0.0/16 to 10.10.0.0/16 (this would perform a one to one nat, only replacing the first 2 bytes)

vsys1 would then simply need to have source nat to hide your 10.10 range behind the 172.16.0.0/30 IP and a route leading to the second vsys