https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389316#M90616 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/92212">@jeremylo</a>&nbsp;</P><P>Why don't you apply a source NAT on Spoke 2 (hiding all requests to 172.16.200.62 behind the firewall interface 172.16.200.x)?</P> Fri, 05 Mar 2021 08:42:23 GMT JoergSchuetter 2021-03-05T08:42:23Z https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389297#M90615 <P>I have a working Hub &amp; Spoke VPN network. Computers in Spoke1 can reach the computers in Spoke2 and vice versa.&nbsp;</P><P>For some reason, a particular device in Spoke2 with IP 172.16.200.62 can only be reached by the computers in the same subnet.&nbsp;</P><P>I want to know is it possible to assign a 172.16.200.x IP address to the computers in Spoke1 when they attempt to connect to that special device. I'm not sure this will achieve my target or not, but at least I can learn a new NAT technique if such configuration does exist.</P><P>&nbsp;</P><P>The 3 firewalls below are PA-820.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HubAndSpoke.jpg" style="width: 697px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30197i33D50493100B6F2B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="HubAndSpoke.jpg" alt="HubAndSpoke.jpg" /></span></P> Fri, 05 Mar 2021 08:17:11 GMT https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389297#M90615 jeremylo 2021-03-05T08:17:11Z https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389316#M90616 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/92212">@jeremylo</a>&nbsp;</P><P>Why don't you apply a source NAT on Spoke 2 (hiding all requests to 172.16.200.62 behind the firewall interface 172.16.200.x)?</P> Fri, 05 Mar 2021 08:42:23 GMT https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389316#M90616 JoergSchuetter 2021-03-05T08:42:23Z https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389462#M90626 <P>Hello,</P><P>&nbsp;</P><P>Simple fix for this is by creating a NAT rule</P><P>Nat from Spoke1 to Spoke2 -</P><P>Source Zone - Tunnel Interface Spoke1</P><P>Source IP Address - 192.168.100.0/24</P><P>Destination Zone&nbsp; - Tunnel Interface Spoke2</P><P>Destination Address - 172.16.200.0/24</P><P>Source Translation - Dynamic IP and Port</P><P>Translated IP - 172.16.200.100</P><P>&nbsp;</P><P>I hope this will help</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Mar 2021 19:02:25 GMT https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389462#M90626 Pawel_G 2021-03-05T19:02:25Z https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389637#M90634 <P>Bingo! It works!</P><P>Thanks Pawel.</P> Mon, 08 Mar 2021 02:00:18 GMT https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389637#M90634 jeremylo 2021-03-08T02:00:18Z https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389639#M90635 <P>Hello Joerg,</P><P>This is a solution too. However, I also want to keep track of which computer in Spoke1 have connected to Spoke2.</P> Mon, 08 Mar 2021 01:59:28 GMT https://live.paloaltonetworks.com/t5/general-topics/special-nat-configuration-asking-about-possibility/m-p/389639#M90635 jeremylo 2021-03-08T01:59:28Z