overlapping subnets in virtual router and NAT

Reply
L3 Networker

overlapping subnets in virtual router and NAT

Hi

 

I have two virtual routers say customer-1 and customer-2 having subnets 10.10.10.0/24 (overlapping subnet). Now internet connection line is on eth1/1 which is in default virtual router. Both customer-1 and customer-2 needs to access the internet but I am wondering how source NAT will work in this case?

Also for reverse traffic for 10.10.10.0/24 subnet in default route will work?

 

Thanks

Community Manager

Re: overlapping subnets in virtual router and NAT

overlapping subnets on different VR will not interfere unless you need them to converge, at which time you will get a conflict

 

a solution to this situation could be to implement separate VSYS (rather than just separating VR) and enabling the 'shared gateway' feature which automatically provides for this sort of situation

 

Alternatively you can look into using PBF with symmetric return which will keep track of the original source when forwarding packets, and returns the packets to the proper origin


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: overlapping subnets in virtual router and NAT

Thanks for the reply.

 

For shared gateway solution, if traffic is initiated from 10.10.10.10 from VR1 (which is in VSYS1) and at the same time 10.10.10.10 from VR2 (which is in VSYS2) to internet through shared gateway (where source NAT is happening) then how I can define the reverse route for 10.10.10.0/24 in shared gateway?

 

 

Community Manager

Re: overlapping subnets in virtual router and NAT

I'm starting to think you will still need PBF, so simply implementing pbf will be your best shot without complicating things


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: overlapping subnets in virtual router and NAT

Thanks for reply @reaper for destination NAT in shared gateway, say public IP 100.100.100.100 into 10.10.10.10 then again problem is after getting NAT, in which VSYS traffic will go?

 

Some vendor like Juniper implement this using routing instance (virtual router) aware NAT that associate the public IP to virtual router, mean after destination NAT in which routing instance routelookup wil happen for policy lookup and forwarding. 

 

https://forums.juniper.net/t5/SRX-Services-Gateway/Overlapping-address-ranges-virtual-routers-and-NA...

 

Is there any feature in Palo Alto to support this? As it is very important for multi-tenant (customers) enviornemnt where customer can share same private subnets. 

Highlighted
L3 Networker

Re: overlapping subnets in virtual router and NAT

@reaper your comments please

Tags (1)
Community Manager

Re: overlapping subnets in virtual router and NAT

in your scenario the ideal solution would be to have eacht VR connected to the ISP independently, this will prevent collisions with your duplicate IP subnets


Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: overlapping subnets in virtual router and NAT

I would setup NAT from one to a non-overlapping subnet on egress from the VR into the ISP VR.

 

This will give everything a unique address from the ISP VR perspective and return the traffic to the correct sources.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L3 Networker

Re: overlapping subnets in virtual router and NAT

Thanks @reaper @pulukas for your comments 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!