02-02-2022 12:47 PM - edited 02-02-2022 12:48 PM
Below is an example diagram of my scenario. We have a subnet that is part of our production network, and then we have the same overlapping subnet for testing and disaster recovery which exists in a separate virtual router. I've oversimplified the drawing, so hopefully this makes sense. For testing purposes, the overlapping subnet in virtual router 2 needs internet access (eggress interface for internet access exists in virtual router 1. My initial thoughts are that I create a default route in virtual router 2 that simply points to virtual router 1. But... I need to have a route for virtual router 1 that points back to virtual router 2 for this subnet. Can't do that, because it is an overlapping subnet. So my assumption here is that I need to do some type of NAT translation for virtual router 2. So as an example, I would like the 10.5.107.0/24 subnet in virtual router 2 to translate to 10.2.107.0/24, and then use that translated address to NAT out for internet access. So in a sense, I guess NAT would actually happen two times. But I've been trying to set this up in my lab environment and can't seem to get it working. Any direction on how to do this would be appreciated. I've been searching forums for a good while now, and can't seem to find any documentation on the exact setup I am trying to achieve. Thanks!
02-05-2022 03:47 PM
Thanks for the reply. How does that solve the issue though? Any specifics on thoughts around design/configuration would be appreciated. Thanks.
02-07-2022 04:58 PM
@buck1 You can route DR traffic to vsys2, and have NAT hide the IP addresses. So there will be NAT happening twice, once when traffic goes from vsys2 to vsys1 and second when from vsys1(untrust) to internet.
02-08-2022 12:57 AM
Hi @buck1 ,
Unfortunately @raji_toor is write, I also cannot think of another way, but to use different vsys. Here is a link that is describing what you want to achive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldgCAC
By the way - have you test it, without route for return traffic and nat for the overlapping? I am thinking, isn't this enough
- Default route in VR-2 with nexthop - next-vr VR-1
- Rule allowing VR-2-LAN zone to Internet zone
- NAT rule for VR-2-LAN zone to Internet zone to translate source
Above should be enough to forward the traffic to Internet and NAT it. The return traffic, should match the already established session and not perform any route lookup. Session should contain information for the proper zone that traffic should be routed back, isn't it?
02-08-2022 05:54 AM
Thanks all for the feedback. I will look into using a separate vsys and see if that resolves my NAT issues. And to Astardzhiev, regarding leaving out the route for return traffic, I did do some original testing routing out to the internet from a separate VR and found that the return route does have to be there or it doesn't work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
