nat before vpn tunnel use case question

Reply
L0 Member

nat before vpn tunnel use case question

Hello I am looking to understand if what I am trying to accomplish will work. Given a PAN connecting to an ASA using a L2L IPSec VPN Tunnel to access two distinct ip addresses behind the ASA. Now these IP Addresses are duplicated on the LAN the PAN connects, essentially overlapping. I know what to do in an ASA. But for the Pan I want my logic checked. The goal here is two use two ip addresses on the PAN Side that doesnt overlap so users can access the devices behind the ASA. I would do a 1to1 NAT for each and I hope in theory that the order of operations (anyone ahve this?) would allow for NAT before the packets are placed in the tunnel. The tunnel I would build like any other, using host routes to the IPs behind the ASA. Am I correct in how I would envision this working? Are there any gotchas or caveats for this use case?

 

Thank you

Tags (2)
Highlighted
L4 Transporter

Re: nat before vpn tunnel use case question

Never experienced this but I think source NAT will do the trick.

Regards,
Sharief
L7 Applicator

Re: nat before vpn tunnel use case question

Hello,

Is what you are experiencing similar to the following?

 

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlappi...

 

Regards,

Community Manager

Re: nat before vpn tunnel use case question

In case of overlapping IP addresses on both sites, and you only need to make a unidirectional connection (from you to the remote servers) you would set up source nat on your end, and destination nat on the remote end:

 

your sources would hide behind a subnet/IP not existing on the remote site so they can easily route back reply packets into the tunnel while the remote end would apply destination translation on your incoming packets to hit the desired 2 servers (if they ever need to perform maintenance or replace the servers this will also grant them direct control to change the destinations)

 

your clients would be connecting to fictitious destination IPs you can static route into the tunnel

if you have an internal DNS server you could give these IP addresses a friendly hostname


Help the community: Like helpful comments and mark solutions
Reaper out
L0 Member

Re: nat before vpn tunnel use case question

Thank you all for your replies and this like was exactly what I needed!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!