For details on cookie usage on our site, read our Privacy Policy
IPSec VPN with overlapping networks
- LIVEcommunity
- Discussions
- General Topics
- IPSec VPN with overlapping networks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2018 06:51 AM - edited 11-02-2018 10:49 AM
To begin with I know the document Configuring IPSec VPN between overlapping networks.
Due to my lack of experience still I am not able to understand how I should create the NAT rules.
My objective is to configure the IPSec tunnel only on "my" side - one that will be accessed and should allow access to some servers in the 192.168.2.0/24 network.
Below I put some aqnonymised configuration info:
IKE Gateway
Parameter | Value |
Version | IKEv1 only mode |
Address type | IPv4 |
Local IP Address | a.b.c.99 |
Peer IP Address | x.y.z.255 |
Exchange mode | auto |
IPSec Tunnel Proxy IDs
Parameter | Value |
Local | 10.0.2.0/24 (NAT 1:1 – original subnet 192.168.2.0/24 ) |
Remote |
The overlapping network addresses are 192.168.2.0/24
I have to create a NAT rule to show them to the accessing partner as 10.0.2.0/24 network.
I would be grateful if someone could tell me how to create this NAT rule with static translation.
Thank You a LOT! 🙂
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-20-2018 03:37 AM
Below is the configuration that finally worked.
Static Route
NAT
Security rules
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2018 07:10 AM
Let's say partners want to access server at 192.168.2.10. Chose an IP you will use for NAT, let's say it's 10.0.2.10 (though any from that network would do).
All you need is a static destination NAT: source 10.95.0.0/16, destination 10.0.2.10, Destination Address Translation 192.168.2.10 (with apropriate zones).
And also you will need a firewall rule to allow access with pre-NAT IP address and post-NAT destination zone.
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2018 07:23 AM
I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).
Can it bo done?
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2018 08:46 AM
@Filip_Fronczak wrote:I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).
Can it bo done?
Yes, this is possible.
- Destination address object: 192.168.2.0/24
- Destination translation address object: 10.0.2.0/24
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-02-2018 09:53 AM
Is this enough or should there be something more?
Do I need on my side a NAT rule to translate the source too or a rule in the other direction?
Sorry for asking basic questions...
IPSecVPN_1
{
to [ LAN_Servers ]; from [ IPSec_xxx ]; source [ any ]; destination [ 192.168.2.0/24 ]; service any; disabled no; destination-translation
{
translated-address 10.0.2.0/24;
}
}
- Global protect client to access IPSEC peer networks. in General Topics
- Policy-Based IPsec VPN Failover in General Topics
- Multiple IPSec tunnels, single external IP in General Topics
- Site-to-Site Palo Alto VPN is Failing in General Topics
- Global Protect at a IPsec S2S branch office in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
