need to configure IP-SEC VPN between 2 sites with overlapping networks problem

Reply
L1 Bithead

need to configure IP-SEC VPN between 2 sites with overlapping networks problem

scenario

Site A

Any equipment IPSec firewall
internal interface: 172.16.0.1 255.255.0.0
external Interface:20.1.1.10
Internal Network: 172.0.0.0/8

VPN proxy ID

Local: 172.16.0.0/16
Remote: 192.168.98.5/32

Site B

Equipment PA-2050
internal interface: 172.22.6.245
external Interface: 20.1.1.20
Internal Network: 172.0.0.0/8

VPN proxy IP

Local: 172.22.0.0/16
Remote: 192.168.98.5


A host 172.16.0.x in Site A needs access server (172.22.6.244) in Site B by IPSec VPN Tunnel

Problem 1: The internal networks in Site A has a Vlan with 172.22.0.0/8
Problem 2: The internal networks in Site B has a Vlan with 172.16.0.0/24

How it works today with Cisco ASA:

- The host in site A initiates connection to the IP 192.168.98.5
- The PA-2050 perfoms dynamic NAT with source 172.16.0.0/24 para o IP 192.168.98.5
- O PA-2050 perfoms a static NAT with source 172.22.6.244 para 192.168.98.5


NAT ASA

NAT PA

Topology

My problem is that NAT not return this worked Static NAT not working properly in this Paloalto!!!!!!!!

L7 Applicator

Re: need to configure IP-SEC VPN between 2 sites with overlapping networks problem

Hello Netsul,

Could you please follow the doc Configuring route based IPSec with overlapping networks for the same. Specially the NAT part of the PAN firewall.

Thanks

L1 Bithead

Re: need to configure IP-SEC VPN between 2 sites with overlapping networks problem

Hi

Hulk verificaquei the document did not work over NAT return

L5 Sessionator

Re: need to configure IP-SEC VPN between 2 sites with overlapping networks problem

Hello Sir,

Your NAT policies should like below:

Make sure that routing for 192.168.98.5/32 and 172.16.0.0/16 points to tunnel interface.

Assuming Out destination zone points to Tunnel interface.

Your security policies should like below:

Regards,

Hari Yadavalli

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!