11-15-2017 01:03 PM
I'm working with a vendor to setup an IPSEC VPN but we have an overlapping host address. My side has a PA500 and their side is a Sonicwall.
Palo Alto Side:
Source server: 192.168.100.20
Their Server: 192.168.100.85
My server NAT address: 10.0.0.20
Their Server NAT address: 10.0.1.85
I've configured a NAT rule that goes from Trust to Tunnel Zone:
Dest Interface: Tunnel.10
Source IP: 192.168.100.20 all ports
Destination IP: 10.0.1.85 all ports
Source Translation Static NAT: 10.0.0.20
Bi-Directional NAT - Checked
My firewall policies:
Trust to Tunnel Zone:
Allow 192.168.100.20 to reach 10.0.1.85
Allow 10.0.0.20 to reach 10.0.1.85
Tunnel to Trust Zone:
Allow 10.0.1.85 to reach 192.168.100.20
Allow 10.0.1.85 to reach 10.0.0.20
Proxy IDs:
Allow 10.0.0.20 to 10.0.1.85
------------------
The vendor has said they did the same on their side and the VPN is up but I am only see 1 way communication. I can ping them from my server and the NAT works fine, but they can't reach my server at all.
Has anyone run into this issue that could point me in the right direction? Any help is greatly appreciated.
11-24-2017 04:42 PM
hi mate,
there is a link below with a tech doc on this.
cheers,
Rob
11-27-2017 12:19 PM
Hey Rob,
Thanks for the reply. I had followed the doc you linked before and it doesn't work. I did get this to work last week by adding a static route to 10.0.0.0 into the tunnel on my side. They also had to add a route for 10.0.1.0 into the tunnel on theirs.
I don't understand why I needed a route added to the tunnel for a local network but it worked and traffic is flowing correctly now.
To summarize in case anyone comes across this issue and needs it, see the changes in bold:
Palo Alto Side:
Source server: 192.168.100.20
Their Server: 192.168.100.85
My server NAT address: 10.0.0.20
Their Server NAT address: 10.0.1.85
I've configured a NAT rule that goes from Trust to Tunnel Zone:
Dest Interface: Tunnel.10
Source IP: 192.168.100.20 all ports
Destination IP: 10.0.1.85 all ports
Source Translation Static NAT: 10.0.0.20
Bi-Directional NAT - Checked
My routes:
10.0.1.85/24 routed into Tunnel.10
10.0.0.20/24 routed into Tunnel.10
Their routes:
10.0.0.20/24 routed into Tunnel.10
10.0.1.85/24 routed into Tunnel.10
My firewall policies:
Trust to Tunnel Zone:
Allow 192.168.100.20 to reach 10.0.1.85
Allow 10.0.0.20 to reach 10.0.1.85
Tunnel to Trust Zone:
Allow 10.0.1.85 to reach 192.168.100.20
Allow 10.0.1.85 to reach 10.0.0.20
Proxy IDs:
Allow 10.0.0.20 to 10.0.1.85
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
