https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206472#M60588 <P>This may be possible by creating multiple VSYS and then a transit zone, but I would be really careful&nbsp;with having the same IP subnets on the same firewall in the same VSYS.&nbsp; We ran into an issue where we had the same public facing network on outside multiple interfaces and ran into an issue where bi-directional NAT feature did not work as it would randomly chose to start advertising the MAC address on an interface that did not have rules for that particular NATed IP.&nbsp; We had to then create both inbound and outbound&nbsp;NAT rules.&nbsp; Not even sure how this would look or what potential issues you could run into.</P><P>&nbsp;</P><P>In our case we have a separate&nbsp;firewall for sandbox&nbsp;testing.&nbsp;</P><P>&nbsp;</P><P>- Matt</P> Mon, 19 Mar 2018 20:54:50 GMT mlinsemier 2018-03-19T20:54:50Z https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206457#M60585 <P>Hi folks,</P><P>&nbsp;</P><P>I am being asked to create a duplicate network that will service VM clones of production VMs for testing and development purposes (without changing their IP or anything else).&nbsp; We have something similar at a different site using "transit" zones and individual NAT rules (that I did not configure), but this task is a bit different from that.</P><P>&nbsp;</P><P>I need a L3 interface to represent this duplicate network, to eventually communicate to the internet.</P><P>I am trying this small test first.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Is there a way to NAT the IP of devices (and maybe gateway IP) to communicate to a unique L3 interface on the firewall?</P><P>&nbsp;</P><P>I assume separate zones and virtual routers will keep the traffic separate, looking for suggestions for the NAT rules to accomplish.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="replica_diagram.jpg" style="width: 379px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14327iB3CA6F3414AD01BF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="replica_diagram.jpg" alt="replica_diagram.jpg" /></span></P><P>&nbsp;</P> Mon, 19 Mar 2018 20:17:28 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206457#M60585 OMatlock 2018-03-19T20:17:28Z https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206472#M60588 <P>This may be possible by creating multiple VSYS and then a transit zone, but I would be really careful&nbsp;with having the same IP subnets on the same firewall in the same VSYS.&nbsp; We ran into an issue where we had the same public facing network on outside multiple interfaces and ran into an issue where bi-directional NAT feature did not work as it would randomly chose to start advertising the MAC address on an interface that did not have rules for that particular NATed IP.&nbsp; We had to then create both inbound and outbound&nbsp;NAT rules.&nbsp; Not even sure how this would look or what potential issues you could run into.</P><P>&nbsp;</P><P>In our case we have a separate&nbsp;firewall for sandbox&nbsp;testing.&nbsp;</P><P>&nbsp;</P><P>- Matt</P> Mon, 19 Mar 2018 20:54:50 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206472#M60588 mlinsemier 2018-03-19T20:54:50Z https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206551#M60606 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56398">@OMatlock</a>,</P><P>I would say that the only way to properly do this is by having multiple VSYS as already mentioned by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7143">@mlinsemier</a>. That would allow you to keep the traffic fully seperated and only allow inter-VSYS communications exactly where needed. This also ensures that you can build out security policies for your test/dev enviroment that will&nbsp;<EM>never</EM> apply to your production traffic until you actually role out to production.&nbsp;</P> Tue, 20 Mar 2018 13:09:29 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206551#M60606 BPry 2018-03-20T13:09:29Z https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206601#M60621 <P>Thank you guys for the feedback.&nbsp; I just created my first transit network (without a new vsys).</P><P>But still need to configure it in a more specific way.</P><P>&nbsp;</P><P>I am in process of that and researching creating a new vsys.&nbsp; Will report back, update, and close this week.</P> Tue, 20 Mar 2018 19:46:27 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-a-duplicate-network/m-p/206601#M60621 OMatlock 2018-03-20T19:46:27Z