topic Re: Help with IPSEC VPN with overlapping subnets in General Topics

Help with IPSEC VPN with overlapping subnets

portugueese — Wed, 15 Nov 2017 21:03:42 GMT

I'm working with a vendor to setup an IPSEC VPN but we have an overlapping host address. My side has a PA500 and their side is a Sonicwall.

Palo Alto Side:

Source server: 192.168.100.20

Their Server: 192.168.100.85

My server NAT address: 10.0.0.20

Their Server NAT address: 10.0.1.85

I've configured a NAT rule that goes from Trust to Tunnel Zone:

Dest Interface: Tunnel.10

Source IP: 192.168.100.20 all ports

Destination IP: 10.0.1.85 all ports

Source Translation Static NAT: 10.0.0.20

Bi-Directional NAT - Checked

My firewall policies:

Trust to Tunnel Zone:

Allow 192.168.100.20 to reach 10.0.1.85

Allow 10.0.0.20 to reach 10.0.1.85

Tunnel to Trust Zone:

Allow 10.0.1.85 to reach 192.168.100.20

Allow 10.0.1.85 to reach 10.0.0.20

Proxy IDs:

Allow 10.0.0.20 to 10.0.1.85

------------------

The vendor has said they did the same on their side and the VPN is up but I am only see 1 way communication. I can ping them from my server and the NAT works fine, but they can't reach my server at all.

Has anyone run into this issue that could point me in the right direction? Any help is greatly appreciated.

Re: Help with IPSEC VPN with overlapping subnets

DonohoeRobert — Sat, 25 Nov 2017 00:42:58 GMT

hi mate,

there is a link below with a tech doc on this.

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlapping-networks/ta-p/53337

cheers,

Rob

Re: Help with IPSEC VPN with overlapping subnets

portugueese — Mon, 27 Nov 2017 20:19:31 GMT

Hey Rob,

Thanks for the reply. I had followed the doc you linked before and it doesn't work. I did get this to work last week by adding a static route to 10.0.0.0 into the tunnel on my side. They also had to add a route for 10.0.1.0 into the tunnel on theirs.

I don't understand why I needed a route added to the tunnel for a local network but it worked and traffic is flowing correctly now.

To summarize in case anyone comes across this issue and needs it, see the changes in bold:

Palo Alto Side:

Source server: 192.168.100.20
Their Server: 192.168.100.85

My server NAT address: 10.0.0.20
Their Server NAT address: 10.0.1.85

I've configured a NAT rule that goes from Trust to Tunnel Zone:

Dest Interface: Tunnel.10
Source IP: 192.168.100.20 all ports
Destination IP: 10.0.1.85 all ports
Source Translation Static NAT: 10.0.0.20
Bi-Directional NAT - Checked

My routes:

10.0.1.85/24 routed into Tunnel.10

10.0.0.20/24 routed into Tunnel.10

Their routes:

10.0.0.20/24 routed into Tunnel.10

10.0.1.85/24 routed into Tunnel.10

My firewall policies:

Trust to Tunnel Zone:
Allow 192.168.100.20 to reach 10.0.1.85
Allow 10.0.0.20 to reach 10.0.1.85

Tunnel to Trust Zone:
Allow 10.0.1.85 to reach 192.168.100.20
Allow 10.0.1.85 to reach 10.0.0.20

Proxy IDs:

Allow 10.0.0.20 to 10.0.1.85