Advanced Routing - NAT for overlapping networks between 2 logical routers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Advanced Routing - NAT for overlapping networks between 2 logical routers

L1 Bithead

Hi,

 

We have a Palo VM with advanced routing enabled.

 

We have 2 customers with overlapping networks (172.16.0.0/24). Those networks must be accessible by the same servers (in connected network 10.1.1.0/24).
Customer1 network is routed via a static route to another router, Customer2 network is behind a IPSec VPN configured on the Palo VM.

We can't ask any customer to add NAT rules on their side.

 

The first solution that came in our mind is to use destination NAT in order to hide the 2nd customer network with another one (10.2.2.0/24) on our side.

 

What we tried to do is to configure a 2nd logical router (LR2) for customer 2, configure the IPSec tunnel interface there it, add Customer2 network 172.16.0.0/24 route via tunnel1 and to route 10.1.1.0/24 back to main logical router (LR1). On LR1 we have a route for the translated Customer2 network (10.2.2.0/24) via LR2.

 

To access Customer2 network from servers we would use 10.2.2.0/24 network and translate it to 172.16.0.0/24 when it leaves LR2 via VPN.

 

It doesn't work because the NAT rule is applied before the routing decision is made because the destination is translated to 172.16.0.0/24 before trafic being handle by LR2 and so is routed to Customer1 instead of Customer2.

 

Do you have any idea how we can get around these limitations while still keeping traffic on the same firewall?

 

Thanks.

Regards,

Emilien RICHARD

 

palo.jpg

 

3 REPLIES 3

L2 Linker

Well forwarding look happens first and than the NAT lookup probably an issue with the route.

In the slowpath stage of the life of packet first forwarding look happen than nat look for the destination nat.

Zain

 

Hi

 

Yes, there is a first route lookup then destination NAT rule applies but then another route lookup is done with the translated address. That’s what poses a problem to us. We are looking for another way to do this kind of configuration, have you other ideas ?

 

Thanks
see : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

IMG_6364.jpeg

Cyber Elite
Cyber Elite

Hello,

Hopefully I understood the question. Check out this article on overlapping subnets.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSGCA0

 

Regards,

  • 367 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!