Hi,
We have a Palo VM with advanced routing enabled.
We have 2 customers with overlapping networks (172.16.0.0/24). Those networks must be accessible by the same servers (in connected network 10.1.1.0/24).
Customer1 network is routed via a static route to another router, Customer2 network is behind a IPSec VPN configured on the Palo VM.
We can't ask any customer to add NAT rules on their side.
The first solution that came in our mind is to use destination NAT in order to hide the 2nd customer network with another one (10.2.2.0/24) on our side.
What we tried to do is to configure a 2nd logical router (LR2) for customer 2, configure the IPSec tunnel interface there it, add Customer2 network 172.16.0.0/24 route via tunnel1 and to route 10.1.1.0/24 back to main logical router (LR1). On LR1 we have a route for the translated Customer2 network (10.2.2.0/24) via LR2.
To access Customer2 network from servers we would use 10.2.2.0/24 network and translate it to 172.16.0.0/24 when it leaves LR2 via VPN.
It doesn't work because the NAT rule is applied before the routing decision is made because the destination is translated to 172.16.0.0/24 before trafic being handle by LR2 and so is routed to Customer1 instead of Customer2.
Do you have any idea how we can get around these limitations while still keeping traffic on the same firewall?
Thanks.
Regards,
Emilien RICHARD
Hi
Yes, there is a first route lookup then destination NAT rule applies but then another route lookup is done with the translated address. That’s what poses a problem to us. We are looking for another way to do this kind of configuration, have you other ideas ?
Thanks
see : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
