https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/191510#M57673 <P>hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56398">@OMatlock</a></P> <P>&nbsp;</P> <P>if your peer is a route-based vpn capable device, you don't need proxy IDs (just fyi)</P> <P>&nbsp;</P> <P>if you have subnet overlap with the remote peer, you can fake both source and destination network</P> <P>&nbsp;</P> <P>eg both networks are 192.168.0.0/24, you could source nat 10.0.0.0/24 destination nat 10.0.1.0/24</P> <P>then the remote end would translate inbound 10.0.1.0/24 to local 192.168.0.0/24 equivalent and leave the 'original' received 10.0.0.0/24 source IPs</P> Wed, 13 Dec 2017 12:35:07 GMT reaper 2017-12-13T12:35:07Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/191403#M57658 <P>Hi folks,</P><P>&nbsp;</P><P>We have several IPSec VPN connections and luckily so far all with unique Proxy IDs.</P><P>I am trying to prepare when I create a new one and has the same Proxy ID as another.</P><P>I see this article and talks about creating a NAT both ways.</P><P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlapping-IPs/ta-p/69123" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlapping-IPs/ta-p/69123</A></P><P>&nbsp;</P><P>I wonder if there is a way to create the NAT for an entire network ID or subnet to translate to another?</P><P>Or are many NAT entries necessary?</P><P>&nbsp;</P><P>Just checking if anyone may have comments or example?</P><P>&nbsp;</P> Tue, 12 Dec 2017 22:09:45 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/191403#M57658 OMatlock 2017-12-12T22:09:45Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/191510#M57673 <P>hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56398">@OMatlock</a></P> <P>&nbsp;</P> <P>if your peer is a route-based vpn capable device, you don't need proxy IDs (just fyi)</P> <P>&nbsp;</P> <P>if you have subnet overlap with the remote peer, you can fake both source and destination network</P> <P>&nbsp;</P> <P>eg both networks are 192.168.0.0/24, you could source nat 10.0.0.0/24 destination nat 10.0.1.0/24</P> <P>then the remote end would translate inbound 10.0.1.0/24 to local 192.168.0.0/24 equivalent and leave the 'original' received 10.0.0.0/24 source IPs</P> Wed, 13 Dec 2017 12:35:07 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/191510#M57673 reaper 2017-12-13T12:35:07Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192264#M57772 <P>Sounds like you are talking about having to deal with overlapping subnets between your multiple remote vendor networks.&nbsp; Yes you would have to use NAT then to overcome the routing overlap.&nbsp; This is the kb for overlapping subnets on vpn for PAN.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlapping-networks/ta-p/53337" target="_blank">https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlapping-networks/ta-p/53337</A></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 19 Dec 2017 13:27:37 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192264#M57772 pulukas 2017-12-19T13:27:37Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192326#M57782 <P>Thank you for that.&nbsp; This document is most helpful!&nbsp; I wondering if I can just configure NAT on one side (our firewall only)?</P><P>I plan to setup a test like this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ipsecoverlapa.jpg" style="width: 791px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13047iB2B581882897BC3C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ipsecoverlapa.jpg" alt="ipsecoverlapa.jpg" /></span></P><P>&nbsp;</P> Tue, 19 Dec 2017 21:12:40 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192326#M57782 OMatlock 2017-12-19T21:12:40Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192706#M57858 <P>In your situation there is not a full overlap with the same ip address on both sides of the tunnel.&nbsp; Your hub site is the only one with the overlapping subnet.&nbsp; So you cannot solve this without the nat occuring on one of the two remote partners.</P><P>&nbsp;</P><P>Your side will configure a normally with the nat subnet range as a normal object.</P><P>&nbsp;</P><P>The actual nat occurs on the partner side on their device where they configure both the nat and use the nat range for the vpn configuration for their subnet as a static network to network nat.</P><P>&nbsp;</P> Thu, 21 Dec 2017 14:15:23 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192706#M57858 pulukas 2017-12-21T14:15:23Z https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192776#M57870 <P>Thank you again.</P><P>I need to set this up in a test.</P> Thu, 21 Dec 2017 21:55:59 GMT https://live.paloaltonetworks.com/t5/general-topics/what-to-do-when-ipsec-vpn-proxy-ids-are-the-same/m-p/192776#M57870 OMatlock 2017-12-21T21:55:59Z