topic Re: Routes between VPN tunnels in General Topics

Routes between VPN tunnels

Metgatz — Wed, 19 May 2021 23:40:53 GMT

Currently on the Palo Alto firewall, there are 4 IPSEC VPN Tunnels.

The issue is the following, a sub network of a Tunnel, tunnel that we will call TUNEL-A01, must be able to reach a destination that its destination is in another tunnel, we will call TUNEL-B01, that has the Palo Alto and at the same time be able to USE/apply NAT, when arriving from the TUNEL-A01 the origin, apply NAT and send it to the destination in the TUNEL-B01.

Is this configuration supported by Palo Alto ? Traffic between IPSEC VPN tunnels more SNAT to another Tunnel.

I remain attentive, thank you very much

Re: Routes between VPN tunnels

reaper — Thu, 20 May 2021 07:32:42 GMT

since Palo ipsec tunnels are route-based you can do all the same things as a regular interface

as long as both spokes (remote sites) have a route leading into the tunnel for the desired destination IP, they will send it into the tunnel

if you then apply NAT in the middle, that will work as long as there are no conflicts (using the same IP on both sides)

is there overlap, or are you simply hiding the source subnet? without overlap this is an easy setup (hide-nat behind an IP on the hub)

Re: Routes between VPN tunnels

OtakarKlier — Thu, 20 May 2021 16:44:11 GMT

Hello,

I use OSPF, very simple to setup and all the PAN's know all the routes. Then access is determined by security policies.

Regards,

Re: Routes between VPN tunnels

Metgatz — Thu, 20 May 2021 18:23:57 GMT

I attach a summary, in the image is the detail, thank you very much.

Re: Routes between VPN tunnels

Metgatz — Thu, 20 May 2021 21:02:52 GMT

Hello, thanks for the answer, friend what do you mean by both sides there is no conflict, do you mean conflicts in the sub network, I understand I only want and I must apply the SNAT on the Palo Alto the Source NAT, and I will also apply a Destination NAT, for the source connections 134.54.120.X/21.

I remain attentive, thank you

Re: Routes between VPN tunnels

Metgatz — Thu, 20 May 2021 21:05:57 GMT

It's not just PAN, there's Cisco ASA, Fortinet, while it's technically feasible to use OSFP, I only have control and see the PAN part. Attach a diagram.
Best regards and thank you

Re: Routes between VPN tunnels

OtakarKlier — Thu, 20 May 2021 21:08:34 GMT

Hello,

Understood. Then static routes should suffice. What Reaper was saying about conflicts is if you have (using the same IP on both sides). Say site A and B both use 192.168.10.0/24. If they all have different subnets, then you dont have to worry about this.

Regards,

Re: Routes between VPN tunnels

Metgatz — Thu, 20 May 2021 21:20:02 GMT

They are different sub networks. The issue is from the network 134.54.120.0/21 destination 172.16.15.0/24 a DNAT is applied, using an IP of the loopback interfaces ( 123.55.58.X ) being this range the origin, of the connections.
134.54.120.x----DNAT 123.55.58.x ---DNAT---Destination 172.16.15.X/24.

I understand that the 172.16.15.0/24 network site, for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and that of the NAT 123.55.58.0/24.
Support with the diagram, thank you very much.

Re: Routes between VPN tunnels

Metgatz — Sat, 22 May 2021 00:53:39 GMT

@OtakarKlier

I understand that the 172.16.15.0/24 network site, the Fortinet, for the routing and for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and the 123.55.58.0/24 ( Network for the nat - Loopback in the Palo Alto )
Support with the diagram, thank you very much.