12-20-2020 11:52 AM
Hello,
I have following scenario. I have a two IPSEC connections to Oracle Cloud. The destination IP range is the same on both networks.
IPSEC A - dest IP range 10.1.6.0/24, security zone Oracle1
IPSEC B - dest IP range 10.1.6.0/24, security zone Oracle 2
LAN - 192.168.0.1/24
Static routing:
10.1.6.0/24 to IPSECA
10.1.7.0/24 to IPSECB
I have created a:
DNAT - from LAN to Oracle2, static DNAT - 10.1.6.0/24
SNAT - from Oracle2 to LAN, static SNAT - 10.1.7.0/24
Users will open for example 10.1.7.1 and it should be directed to IPSECB and NAT should change destination address to 10.1.6.1.
The problem I am facing is that PA does routing twice pre and post NAT. Post NAT routing directs pocket to IPSECA as the destination address is already NATed to 10.1.6.1.
Is there a way to make it working correctly? I cannot do any changes on Oracle side - I only control my PA.
12-21-2020 01:08 AM
Hi @Miroslaw_Iwanowski ,
Here for IPSEC-A as well as IPSEC-B (post DNAT), the destination is going to be from 10.1.6.x so anyhow it is going to match the static route which will have lowest matric. And in your case, it seems to be IPSEC-A tunnel interface. So in both cases, it will match IPSEC-A tunnel interface and firewall will forward traffic accordingly. Also it seems you have same set of source segment who need access to those resources otherwise PBF would be the option in case you have different source IP addresses accessing same destinations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
