https://live.paloaltonetworks.com/t5/general-topics/source-nat-on-a-ipsec-vpn-tunnel-due-to-overlapping-ip-space/m-p/333594#M84231 <P>Folks,</P><P>&nbsp;</P><P>Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC.&nbsp;</P><P>The access would be unidirectional with the Customer accessing on-prem resources.</P><P>&nbsp;</P><P>The first challenge is that we have overlapping IP addresses at the customers end.</P><P>&nbsp;</P><P>Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. we want to avoid a interface based NAT.</P><P>There should be some way of identifying the IP address individually on the IPS behind the VPN Palo Alto firewall.</P><P>Any suggestions?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN tunnel.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26208iED3E0A0BE31C68C8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="VPN tunnel.jpg" alt="VPN tunnel.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks!!</P><P>N.</P> Tue, 16 Jun 2020 07:41:48 GMT nson2139 2020-06-16T07:41:48Z https://live.paloaltonetworks.com/t5/general-topics/source-nat-on-a-ipsec-vpn-tunnel-due-to-overlapping-ip-space/m-p/333594#M84231 <P>Folks,</P><P>&nbsp;</P><P>Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC.&nbsp;</P><P>The access would be unidirectional with the Customer accessing on-prem resources.</P><P>&nbsp;</P><P>The first challenge is that we have overlapping IP addresses at the customers end.</P><P>&nbsp;</P><P>Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. we want to avoid a interface based NAT.</P><P>There should be some way of identifying the IP address individually on the IPS behind the VPN Palo Alto firewall.</P><P>Any suggestions?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN tunnel.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26208iED3E0A0BE31C68C8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="VPN tunnel.jpg" alt="VPN tunnel.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks!!</P><P>N.</P> Tue, 16 Jun 2020 07:41:48 GMT https://live.paloaltonetworks.com/t5/general-topics/source-nat-on-a-ipsec-vpn-tunnel-due-to-overlapping-ip-space/m-p/333594#M84231 nson2139 2020-06-16T07:41:48Z https://live.paloaltonetworks.com/t5/general-topics/source-nat-on-a-ipsec-vpn-tunnel-due-to-overlapping-ip-space/m-p/333681#M84247 <P>I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-nat/source-nat.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-nat/source-nat.html</A>&nbsp;).&nbsp; However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN).&nbsp; If you could do this at the customer side before it crosses the tunnel, that might be better.<BR /><BR />EDIT:&nbsp; Actually, the more I think about it, that's going to cause the same problem on the other side then.&nbsp; Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address.&nbsp; Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.</P> Tue, 16 Jun 2020 18:19:14 GMT https://live.paloaltonetworks.com/t5/general-topics/source-nat-on-a-ipsec-vpn-tunnel-due-to-overlapping-ip-space/m-p/333681#M84247 OwenFuller 2020-06-16T18:19:14Z