https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-nat-issue/m-p/292017#M77331 <P>I have a VPN request where&nbsp; peer's IP range is conflicting with one of my internal IP range.&nbsp;</P><P>They are asking me if I can do a NAT on my end to resolve it but based on my experience it must be them who should do a NAT.&nbsp;</P><P>please correct me if I'm wrong.</P> Tue, 08 Oct 2019 20:02:11 GMT SThatipelly 2019-10-08T20:02:11Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-nat-issue/m-p/292017#M77331 <P>I have a VPN request where&nbsp; peer's IP range is conflicting with one of my internal IP range.&nbsp;</P><P>They are asking me if I can do a NAT on my end to resolve it but based on my experience it must be them who should do a NAT.&nbsp;</P><P>please correct me if I'm wrong.</P> Tue, 08 Oct 2019 20:02:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-nat-issue/m-p/292017#M77331 SThatipelly 2019-10-08T20:02:11Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-nat-issue/m-p/292045#M77332 <P>Here is the way I would recommend that you do it...</P><P>&nbsp;</P><P>Scenario is overlapping subnets on both side of IPSec Tunnel.</P><P>Both sides need to NAT, to give the remote sides a different appearance/subnet.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpnnat.png" style="width: 892px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21732iB3E9C946086C8884/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="vpnnat.png" alt="vpnnat.png" /></span></P><P>&nbsp;</P><P>2) A different option may be (not sure) to only SNAT from the remote side, inbound to your environment.</P><P>&nbsp;</P><P>Different from the top example.</P><P>Both remote and local sites have overlapping subnets.</P><P>&nbsp;</P><P>when traffic from remote side enters your FW, you SNAT it, and send it, inbound to your network, with bidirectional enabled.</P><P>Now a user/server, etc, will send back traffic to the SNAT'd address, and your FW will strip off the SNAT and send to the correct source address, across the VPN.</P><P>&nbsp;</P><P>Questions??? <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><P>Let me know.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2ndoption.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21733i19F8DC26A071FB6E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2ndoption.png" alt="2ndoption.png" /></span></P><P>&nbsp;</P> Wed, 09 Oct 2019 01:36:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-nat-issue/m-p/292045#M77332 S.Cantwell 2019-10-09T01:36:58Z