NAT from Site2Site to virtual subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT from Site2Site to virtual subnet

L0 Member
hi,

i have a problem with an Site2Site VPN connection.

 

i need an option to get access from external to my internal network but we have the same subnet

 

so i need access to 192.168.1.xxx but from the outside (Tunnel) i will use the ip 192.168.5.xxx

 

how i have to configure this?

i hope somebody has an idea for this

thanks

Stefan

3 REPLIES 3

L4 Transporter

The easiest option might be to use NAT policies on your tunnel. A dynamic IP pool would let you dest NAT 192.168.5.0/24 to 192.168.1.0/24. However, if the source subnet on the remote side is in conflict, a src NAT policy might need applied on that end as well.

can you give me a little more detailed information how to configure this.

 

 

Assuming this diagram matches what you are trying to do, you'll want to apply a source NAT policy for the tunnel traffic on the remote firewall, so that their traffic appears to come from a network other than 192.168.1.0/24. If the servers on the local network don't need to know the individual client IP of the source traffic, a single address can be used for a many-to-1 source NAT policy policy. Otherwise, if the ability to discern individual source IPs is needed, several 1-to-1 source NATs will be needed (Palo Alto can do this as a pool). In this example I've used 192.168.2.1 (many-to-1) and 182.168.2.0/24 (1-to-1) for the Remote Site source NAT addressing.

On the Local Firewall, you'll want to use a 1-to-1 destination NAT policy where the pool of 192.168.5.0/24 addresses translate to 192.168.1.0/24. You can find the details on how to configure these policies here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat.html

OwenFuller_0-1603299729747.png

 

  • 2508 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!