This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Nat out to internet with overlapping subnets in two separate virtual routers

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Nat out to internet with overlapping subnets in two separate virtual routers

buck1
L1 Bithead

‎02-02-2022 12:47 PM - edited ‎02-02-2022 12:48 PM

Below is an example diagram of my scenario.  We have a subnet that is part of our production network, and then we have the same overlapping subnet for testing and disaster recovery which exists in a separate virtual router.  I've oversimplified the drawing, so hopefully this makes sense.  For testing purposes, the overlapping subnet in virtual router 2 needs internet access (eggress interface for internet access exists in virtual router 1.  My initial thoughts are that I create a default route in virtual router 2 that simply points to virtual router 1.  But... I need to have a route for virtual router 1 that points back to virtual router 2 for this subnet.  Can't do that, because it is an overlapping subnet.  So my assumption here is that I need to do some type of NAT translation for virtual router 2.  So as an example, I would like the 10.5.107.0/24 subnet in virtual router 2 to translate to 10.2.107.0/24, and then use that translated address to NAT out for internet access.  So in a sense, I guess NAT would actually happen two times.  But I've been trying to set this up in my lab environment and can't seem to get it working.  Any direction on how to do this would be appreciated.  I've been searching forums for a good while now, and can't seem to find any documentation on the exact setup I am trying to achieve.  Thanks!

 

Screen Shot 2022-02-02 at 3.36.37 PM.png

0 Likes Likes
5 REPLIES 5

raji_toor
L4 Transporter

‎02-04-2022 08:26 PM - edited ‎02-04-2022 08:26 PM

@buck1 I think your best bet is to put both VR's in separate VSYS and then go from there

0 Likes Likes

buck1
L1 Bithead
In response to raji_toor

‎02-05-2022 03:47 PM

Thanks for the reply.  How does that solve the issue though?  Any specifics on thoughts around design/configuration would be appreciated.  Thanks.

0 Likes Likes

raji_toor
L4 Transporter
In response to buck1

‎02-07-2022 04:58 PM

@buck1  You can route DR traffic to vsys2, and have NAT hide the IP addresses. So there will be NAT happening twice, once when traffic goes from vsys2 to vsys1 and second when from vsys1(untrust) to internet.  

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎02-08-2022 12:57 AM

Hi @buck1 ,

 Unfortunately @raji_toor is write, I also cannot think of another way, but to use different vsys. Here is a link that is describing what you want to achive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldgCAC

 

 

By the way - have you test it, without route for return traffic and nat for the overlapping? I am thinking, isn't this enough

- Default route in VR-2 with nexthop - next-vr VR-1

- Rule allowing VR-2-LAN zone to Internet zone

- NAT rule for VR-2-LAN zone to Internet zone to translate source

Above should be enough to forward the traffic to Internet and NAT it. The return traffic, should match the already established session and not perform any route lookup. Session should contain information for the proper zone that traffic should be routed back, isn't it?

 

0 Likes Likes

buck1
L1 Bithead

‎02-08-2022 05:54 AM

Thanks all for the feedback.  I will look into using a separate vsys and see if that resolves my NAT issues.  And to Astardzhiev, regarding leaving out the route for return traffic, I did do some original testing routing out to the internet from a separate VR and found that the return route does have to be there or it doesn't work.  

0 Likes Likes
  • 3283 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks