topic Re: overlapping subnets in virtual router and NAT in General Topics

overlapping subnets in virtual router and NAT

faizankhurshid — Sat, 10 Feb 2018 08:32:32 GMT

I have two virtual routers say customer-1 and customer-2 having subnets 10.10.10.0/24 (overlapping subnet). Now internet connection line is on eth1/1 which is in default virtual router. Both customer-1 and customer-2 needs to access the internet but I am wondering how source NAT will work in this case?

Also for reverse traffic for 10.10.10.0/24 subnet in default route will work?

Thanks

Re: overlapping subnets in virtual router and NAT

reaper — Mon, 12 Feb 2018 07:43:40 GMT

overlapping subnets on different VR will not interfere unless you need them to converge, at which time you will get a conflict

a solution to this situation could be to implement separate VSYS (rather than just separating VR) and enabling the 'shared gateway' feature which automatically provides for this sort of situation

Alternatively you can look into using PBF with symmetric return which will keep track of the original source when forwarding packets, and returns the packets to the proper origin

Re: overlapping subnets in virtual router and NAT

faizankhurshid — Mon, 12 Feb 2018 10:43:04 GMT

Thanks for the reply.

For shared gateway solution, if traffic is initiated from 10.10.10.10 from VR1 (which is in VSYS1) and at the same time 10.10.10.10 from VR2 (which is in VSYS2) to internet through shared gateway (where source NAT is happening) then how I can define the reverse route for 10.10.10.0/24 in shared gateway?

Re: overlapping subnets in virtual router and NAT

reaper — Mon, 12 Feb 2018 10:58:06 GMT

I'm starting to think you will still need PBF, so simply implementing pbf will be your best shot without complicating things

Re: overlapping subnets in virtual router and NAT

faizankhurshid — Mon, 12 Feb 2018 16:26:47 GMT

Thanks for reply @reaper for destination NAT in shared gateway, say public IP 100.100.100.100 into 10.10.10.10 then again problem is after getting NAT, in which VSYS traffic will go?

Some vendor like Juniper implement this using routing instance (virtual router) aware NAT that associate the public IP to virtual router, mean after destination NAT in which routing instance routelookup wil happen for policy lookup and forwarding.

https://forums.juniper.net/t5/SRX-Services-Gateway/Overlapping-address-ranges-virtual-routers-and-NAT/td-p/106860

Is there any feature in Palo Alto to support this? As it is very important for multi-tenant (customers) enviornemnt where customer can share same private subnets.

Re: overlapping subnets in virtual router and NAT

faizankhurshid — Sat, 17 Feb 2018 15:06:37 GMT

@reaper your comments please

Re: overlapping subnets in virtual router and NAT

reaper — Mon, 19 Feb 2018 10:54:30 GMT

in your scenario the ideal solution would be to have eacht VR connected to the ISP independently, this will prevent collisions with your duplicate IP subnets

Re: overlapping subnets in virtual router and NAT

pulukas — Mon, 19 Feb 2018 11:16:50 GMT

I would setup NAT from one to a non-overlapping subnet on egress from the VR into the ISP VR.

This will give everything a unique address from the ISP VR perspective and return the traffic to the correct sources.

Re: overlapping subnets in virtual router and NAT

faizankhurshid — Mon, 19 Feb 2018 18:17:55 GMT

Thanks @reaper @pulukas for your comments

Re: overlapping subnets in virtual router and NAT

chtoh82 — Wed, 25 Mar 2020 07:54:42 GMT

Hi, sorry to bring this thread up as I happened to came across when searching for a solution to my issue.

So, I have a setup as below, I'm having 2 VSYS with overlapping subnet (Network A and B) in the trust interface, however, I also added secondary subnets in that same interface, however, this time, the secondary subnets are non overlapping.

What I did next was, from each VSYS A and VSYS B, configured Source NAT from Trust to External Zone, translated IP as the secondary subnet interface IP (ie 192.168.3.1 and 192.168.4.1 for VSYS A and B respectively), to reach out to a server in the untrust subnet located in the Main VSYS.

I also have routing configured respectively, as you can see from the diagram, however, I could not reach to the untrust subnet from both VSYS A and B.

Session browser showed connected sessions from both VSYS A and B trust zones to the Main VSYS untrust zones, with correct source and destination addresses with NAT-ed IP as well.

The following counter global were observed:

Session setup: no destination zone from forwarding

Packets dropped: no route

These counters indicated there there were no routing or routing was incorrect, however, fib route lookup from both VSYS A and B to Main VSYS to destination in untrust zone in main VSYS was successful. Route lookup from Main VSYS to VSYS A and B to destination of Source NAT-ed IP (192.168.3.1 and 4.1) was successful as well.

Therefore, could anyone verified if SourceNAT is supported in such intervsys routing design?

Re: overlapping subnets in virtual router and NAT

buck1 — Thu, 03 Feb 2022 15:09:13 GMT

Pulukas, do you have any examples of how to set this up? This scenario is exactly what I am trying to do, but having issues with the NAT statements needed to accomplish this. If I create a NAT policy to change source IPs to a non-overlapping subnet, then my outbound NAT rule doesn't seem to work. Seems like I can only get one or the other to work, not both. Thanks.

Re: overlapping subnets in virtual router and NAT

tnosal — Thu, 07 Jul 2022 06:32:00 GMT

I have the same case. Is there a solution?