need to configure IP-SEC VPN between 2 sites with overlapping networks problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

need to configure IP-SEC VPN between 2 sites with overlapping networks problem

L1 Bithead

scenario

Site A

Any equipment IPSec firewall
internal interface: 172.16.0.1 255.255.0.0
external Interface:20.1.1.10
Internal Network: 172.0.0.0/8

VPN proxy ID

Local: 172.16.0.0/16
Remote: 192.168.98.5/32

Site B

Equipment PA-2050
internal interface: 172.22.6.245
external Interface: 20.1.1.20
Internal Network: 172.0.0.0/8

VPN proxy IP

Local: 172.22.0.0/16
Remote: 192.168.98.5


A host 172.16.0.x in Site A needs access server (172.22.6.244) in Site B by IPSec VPN Tunnel

Problem 1: The internal networks in Site A has a Vlan with 172.22.0.0/8
Problem 2: The internal networks in Site B has a Vlan with 172.16.0.0/24

How it works today with Cisco ASA:

- The host in site A initiates connection to the IP 192.168.98.5
- The PA-2050 perfoms dynamic NAT with source 172.16.0.0/24 para o IP 192.168.98.5
- O PA-2050 perfoms a static NAT with source 172.22.6.244 para 192.168.98.5


NAT ASA

NAT PA

Topology

My problem is that NAT not return this worked Static NAT not working properly in this Paloalto!!!!!!!!

3 REPLIES 3

L7 Applicator

Hello Netsul,

Could you please follow the doc Configuring route based IPSec with overlapping networks for the same. Specially the NAT part of the PAN firewall.

Thanks

L1 Bithead

Hi

Hulk verificaquei the document did not work over NAT return

L5 Sessionator

Hello Sir,

Your NAT policies should like below:

Make sure that routing for 192.168.98.5/32 and 172.16.0.0/16 points to tunnel interface.

Assuming Out destination zone points to Tunnel interface.

Your security policies should like below:

Regards,

Hari Yadavalli

  • 2984 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!