I have two virtual routers say customer-1 and customer-2 having subnets 10.10.10.0/24 (overlapping subnet). Now internet connection line is on eth1/1 which is in default virtual router. Both customer-1 and customer-2 needs to access the internet but I am wondering how source NAT will work in this case?
Also for reverse traffic for 10.10.10.0/24 subnet in default route will work?
Solved! Go to Solution.
overlapping subnets on different VR will not interfere unless you need them to converge, at which time you will get a conflict
a solution to this situation could be to implement separate VSYS (rather than just separating VR) and enabling the 'shared gateway' feature which automatically provides for this sort of situation
Alternatively you can look into using PBF with symmetric return which will keep track of the original source when forwarding packets, and returns the packets to the proper origin
Thanks for the reply.
For shared gateway solution, if traffic is initiated from 10.10.10.10 from VR1 (which is in VSYS1) and at the same time 10.10.10.10 from VR2 (which is in VSYS2) to internet through shared gateway (where source NAT is happening) then how I can define the reverse route for 10.10.10.0/24 in shared gateway?
I'm starting to think you will still need PBF, so simply implementing pbf will be your best shot without complicating things
Thanks for reply @reaper for destination NAT in shared gateway, say public IP 100.100.100.100 into 10.10.10.10 then again problem is after getting NAT, in which VSYS traffic will go?
Some vendor like Juniper implement this using routing instance (virtual router) aware NAT that associate the public IP to virtual router, mean after destination NAT in which routing instance routelookup wil happen for policy lookup and forwarding.
Is there any feature in Palo Alto to support this? As it is very important for multi-tenant (customers) enviornemnt where customer can share same private subnets.
in your scenario the ideal solution would be to have eacht VR connected to the ISP independently, this will prevent collisions with your duplicate IP subnets
I would setup NAT from one to a non-overlapping subnet on egress from the VR into the ISP VR.
This will give everything a unique address from the ISP VR perspective and return the traffic to the correct sources.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!