This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

need to configure IP-SEC VPN between 2 sites with overlapping networks problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

need to configure IP-SEC VPN between 2 sites with overlapping networks problem

Netsul
L1 Bithead

‎03-14-2014 06:36 AM

scenario

Site A

Any equipment IPSec firewall
internal interface: 172.16.0.1 255.255.0.0
external Interface:20.1.1.10
Internal Network: 172.0.0.0/8

VPN proxy ID

Local: 172.16.0.0/16
Remote: 192.168.98.5/32

Site B

Equipment PA-2050
internal interface: 172.22.6.245
external Interface: 20.1.1.20
Internal Network: 172.0.0.0/8

VPN proxy IP

Local: 172.22.0.0/16
Remote: 192.168.98.5


A host 172.16.0.x in Site A needs access server (172.22.6.244) in Site B by IPSec VPN Tunnel

Problem 1: The internal networks in Site A has a Vlan with 172.22.0.0/8
Problem 2: The internal networks in Site B has a Vlan with 172.16.0.0/24

How it works today with Cisco ASA:

- The host in site A initiates connection to the IP 192.168.98.5
- The PA-2050 perfoms dynamic NAT with source 172.16.0.0/24 para o IP 192.168.98.5
- O PA-2050 perfoms a static NAT with source 172.22.6.244 para 192.168.98.5


NAT ASA

NAT PA

Topology

My problem is that NAT not return this worked Static NAT not working properly in this Paloalto!!!!!!!!

0 Likes Likes
3 REPLIES 3

HULK
L7 Applicator

‎03-14-2014 09:20 AM

Hello Netsul,

Could you please follow the doc Configuring route based IPSec with overlapping networks for the same. Specially the NAT part of the PAN firewall.

Thanks

0 Likes Likes

Netsul
L1 Bithead

‎03-14-2014 09:52 AM

Hi

Hulk verificaquei the document did not work over NAT return

0 Likes Likes

hyadavalli
L5 Sessionator

‎03-17-2014 09:02 PM

Hello Sir,

Your NAT policies should like below:

Make sure that routing for 192.168.98.5/32 and 172.16.0.0/16 points to tunnel interface.

Assuming Out destination zone points to Tunnel interface.

Your security policies should like below:

Regards,

Hari Yadavalli

0 Likes Likes
  • 2985 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks