Help with IPSEC VPN with overlapping subnets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help with IPSEC VPN with overlapping subnets

L0 Member

I'm working with a vendor to setup an IPSEC VPN but we have an overlapping host address. My side has a PA500 and their side is a Sonicwall.

 

Palo Alto Side:

 

Source server: 192.168.100.20

Their Server: 192.168.100.85

 

My server NAT address: 10.0.0.20

Their Server NAT address: 10.0.1.85

 

I've configured a NAT rule that goes from Trust to Tunnel Zone:

 

Dest Interface: Tunnel.10

Source IP: 192.168.100.20 all ports

Destination IP: 10.0.1.85 all ports

Source Translation Static NAT: 10.0.0.20

Bi-Directional NAT - Checked

 

My firewall policies:

 

Trust to Tunnel Zone:

Allow 192.168.100.20 to reach 10.0.1.85

Allow 10.0.0.20 to reach 10.0.1.85

 

Tunnel to Trust Zone:

Allow 10.0.1.85 to reach 192.168.100.20

Allow 10.0.1.85 to reach 10.0.0.20

 

Proxy IDs:

 

Allow 10.0.0.20 to 10.0.1.85

 

------------------

 

The vendor has said they did the same on their side and the VPN is up but I am only see 1 way communication. I can ping them from my server and the NAT works fine, but they can't reach my server at all. 

 

Has anyone run into this issue that could point me in the right direction? Any help is greatly appreciated.

 

2 REPLIES 2

L3 Networker

hi mate, 

 

there is a link below with a tech doc on this. 

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Configuring-route-based-IPSec-with-overlappi...

 

cheers, 

 

Rob

Hey Rob,

 

 

Thanks for the reply. I had followed the doc you linked before and it doesn't work. I did get this to work last week by adding a static route to 10.0.0.0 into the tunnel on my side. They also had to add a route for 10.0.1.0 into the tunnel on theirs.

I don't understand why I needed a route added to the tunnel for a local network but it worked and traffic is flowing correctly now.

 

To summarize in case anyone comes across this issue and needs it, see the changes in bold:

 

Palo Alto Side:

Source server: 192.168.100.20
Their Server: 192.168.100.85

My server NAT address: 10.0.0.20
Their Server NAT address: 10.0.1.85

I've configured a NAT rule that goes from Trust to Tunnel Zone:

Dest Interface: Tunnel.10
Source IP: 192.168.100.20 all ports
Destination IP: 10.0.1.85 all ports
Source Translation Static NAT: 10.0.0.20
Bi-Directional NAT - Checked

My routes:

10.0.1.85/24 routed into Tunnel.10

10.0.0.20/24 routed into Tunnel.10

 

Their routes:

10.0.0.20/24 routed into Tunnel.10

10.0.1.85/24 routed into Tunnel.10

 

My firewall policies:

Trust to Tunnel Zone:
Allow 192.168.100.20 to reach 10.0.1.85
Allow 10.0.0.20 to reach 10.0.1.85

Tunnel to Trust Zone:
Allow 10.0.1.85 to reach 192.168.100.20
Allow 10.0.1.85 to reach 10.0.0.20

Proxy IDs:

Allow 10.0.0.20 to 10.0.1.85

  • 3526 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!