topic Re: nat before vpn tunnel use case question in General Topics

nat before vpn tunnel use case question

Tsquared — Wed, 07 Feb 2018 20:28:10 GMT

Hello I am looking to understand if what I am trying to accomplish will work. Given a PAN connecting to an ASA using a L2L IPSec VPN Tunnel to access two distinct ip addresses behind the ASA. Now these IP Addresses are duplicated on the LAN the PAN connects, essentially overlapping. I know what to do in an ASA. But for the Pan I want my logic checked. The goal here is two use two ip addresses on the PAN Side that doesnt overlap so users can access the devices behind the ASA. I would do a 1to1 NAT for each and I hope in theory that the order of operations (anyone ahve this?) would allow for NAT before the packets are placed in the tunnel. The tunnel I would build like any other, using host routes to the IPs behind the ASA. Am I correct in how I would envision this working? Are there any gotchas or caveats for this use case?

Thank you

Re: nat before vpn tunnel use case question

MohamedSharief — Wed, 07 Feb 2018 21:02:19 GMT

Never experienced this but I think source NAT will do the trick.

Re: nat before vpn tunnel use case question

OtakarKlier — Wed, 07 Feb 2018 22:31:31 GMT

Hello,

Is what you are experiencing similar to the following?

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlapping-IPs/ta-p/69123

Regards,

Re: nat before vpn tunnel use case question

reaper — Thu, 08 Feb 2018 11:03:57 GMT

In case of overlapping IP addresses on both sites, and you only need to make a unidirectional connection (from you to the remote servers) you would set up source nat on your end, and destination nat on the remote end:

your sources would hide behind a subnet/IP not existing on the remote site so they can easily route back reply packets into the tunnel while the remote end would apply destination translation on your incoming packets to hit the desired 2 servers (if they ever need to perform maintenance or replace the servers this will also grant them direct control to change the destinations)

your clients would be connecting to fictitious destination IPs you can static route into the tunnel

if you have an internal DNS server you could give these IP addresses a friendly hostname

Re: nat before vpn tunnel use case question

Tsquared — Thu, 08 Feb 2018 19:24:52 GMT

Thank you all for your replies and this like was exactly what I needed!