cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IPSec VPN with overlapping networks

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Filip_Fronczak
L2 Linker
‎11-02-2018 06:51 AM
‎11-02-2018 06:51 AM

IPSec VPN with overlapping networks

To begin with I know the document Configuring IPSec VPN between overlapping networks.

Due to my lack of experience still I am not able to understand how I should create the NAT rules.

My objective is to configure the IPSec tunnel only on "my" side - one that will be accessed and should allow access to some servers in the 192.168.2.0/24 network. 

 

Below I put some aqnonymised configuration info: 

  IKE Gateway

Parameter

Value

Version

IKEv1 only mode

Address type

IPv4

Local IP Address

a.b.c.99

Peer IP Address

x.y.z.255

Exchange mode

auto

IPSec Tunnel Proxy IDs

Parameter

Value

Local

10.0.2.0/24 (NAT 1:1 – original subnet 192.168.2.0/24 )

Remote

10.95.0.0/16

 

The overlapping network addresses are 192.168.2.0/24

I have to create a NAT rule to show them to the accessing partner as 10.0.2.0/24 network.

 

I would be grateful if someone could tell me how to create this NAT rule with static translation.

 

Thank You a LOT! :-)

0 Likes
Reply

Accepted Solutions
Filip_Fronczak
L2 Linker
‎11-20-2018 03:37 AM
‎11-20-2018 03:37 AM

Below is the configuration that finally worked.

 

Static Route

 

01_Static_Route.png

 

NAT

02_NAT.png

 

Security rules

03_Security.png

View solution in original post

(1)
Reply

All Replies
santonic
L5 Sessionator
‎11-02-2018 07:10 AM
‎11-02-2018 07:10 AM

Let's say partners want to access server at 192.168.2.10. Chose an IP you will use for NAT, let's say it's 10.0.2.10 (though any from that network would do).

All you need is a static destination NAT: source 10.95.0.0/16, destination 10.0.2.10, Destination Address Translation 192.168.2.10 (with apropriate zones).

 

And also you will need a firewall rule to allow access with pre-NAT IP address and post-NAT destination zone.

 

 

0 Likes
Reply
Filip_Fronczak
L2 Linker
‎11-02-2018 07:23 AM
‎11-02-2018 07:23 AM

I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).

Can it bo done?

0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎11-02-2018 08:46 AM
‎11-02-2018 08:46 AM

@Filip_Fronczak wrote:

I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).

Can it bo done?

Yes, this is possible.

  • Destination address object: 192.168.2.0/24
  • Destination translation address object: 10.0.2.0/24
0 Likes
Reply
Filip_Fronczak
L2 Linker
‎11-02-2018 09:53 AM
‎11-02-2018 09:53 AM

Is this enough or should there be something more?

Do I need on my side a NAT rule to translate the source too or a rule in the other direction?

Sorry for asking basic questions...

 

IPSecVPN_1
{
to [ LAN_Servers ]; from [ IPSec_xxx ]; source [ any ]; destination [ 192.168.2.0/24 ]; service any; disabled no; destination-translation
{
translated-address 10.0.2.0/24;
}
}

0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎11-02-2018 10:05 AM
‎11-02-2018 10:05 AM

Ignore my last post ... 

The NAT rule shoild look like this

  • Original source: 192.168.2.0/24
  • Original destination: 10.95.0.0/16
  • Type: Static IP
  • Translated source: 10.0.2.0/24
  • Translated destination: none
0 Likes
Reply
Filip_Fronczak
L2 Linker
‎11-02-2018 10:32 AM
‎11-02-2018 10:32 AM

And what about the other way?

Traffic from the oher side that wants to arrive to servers in our network - 192.168.2.0/24?

0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎11-02-2018 10:55 AM
‎11-02-2018 10:55 AM

Check the bi-directional checkbox

0 Likes
Reply
Filip_Fronczak
L2 Linker
‎11-02-2018 11:07 AM
‎11-02-2018 11:07 AM

So, it's this, right?

 

IPSecVPN_xxx-1
{
to [ IPSec_xxx ]; from [ LAN_Servers ]; source [ 192.168.2.0/24 ]; destination [ 10.95.0.0/16 ]; source-translation
{
static-ip
{
bi-directional yes; translated-address 10.0.2.0/24;
}
}
}

0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎11-02-2018 11:14 AM
‎11-02-2018 11:14 AM

Yes, looks correct.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks