10-20-2020 03:15 AM
i have a problem with an Site2Site VPN connection.
i need an option to get access from external to my internal network but we have the same subnet
so i need access to 192.168.1.xxx but from the outside (Tunnel) i will use the ip 192.168.5.xxx
how i have to configure this?
i hope somebody has an idea for this
10-20-2020 09:15 AM
The easiest option might be to use NAT policies on your tunnel. A dynamic IP pool would let you dest NAT 192.168.5.0/24 to 192.168.1.0/24. However, if the source subnet on the remote side is in conflict, a src NAT policy might need applied on that end as well.
10-20-2020 11:40 PM
can you give me a little more detailed information how to configure this.
10-21-2020 10:03 AM
Assuming this diagram matches what you are trying to do, you'll want to apply a source NAT policy for the tunnel traffic on the remote firewall, so that their traffic appears to come from a network other than 192.168.1.0/24. If the servers on the local network don't need to know the individual client IP of the source traffic, a single address can be used for a many-to-1 source NAT policy policy. Otherwise, if the ability to discern individual source IPs is needed, several 1-to-1 source NATs will be needed (Palo Alto can do this as a pool). In this example I've used 192.168.2.1 (many-to-1) and 184.108.40.206/24 (1-to-1) for the Remote Site source NAT addressing.
On the Local Firewall, you'll want to use a 1-to-1 destination NAT policy where the pool of 192.168.5.0/24 addresses translate to 192.168.1.0/24. You can find the details on how to configure these policies here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!