03-27-2017 09:11 PM
Hello,
I have a new client we have a direct L3 link with. Our firewall has an existing directly connected interface on the 10.10.0.0/16 subnet. Our client also has a subnet of 10.10.0.0/16 which we need to get to.
During my initial testing I decided just to access a /24 of the clients /16. I am natting the client subnet of 10.10.101.0/24 to 172.17.101.0/24.
I have a NAT policy with a source of another of my internal subnets (not the 10.10.0.0/16), destination of 172.17.101.0/24, source nat to a synamic ip+port, destination nat to 10.10.101.0/24.
When the destination NAT kicks in it checks the source VR for its route which is the directly connected interface and attempts route it locally. If I remove the destination nat it hits the destination interface but with the wrong destination address.
Round 2:
I removed the customer config from the current VR and put them into a new VR, setup vr to vr routes. Same issue,
When the destination NAT kicks in it checks the source VR for its route which is the directly connected interface and attempts route it locally. If I remove the destination nat it hits the destination interface but with the wrong destination address.
Does anyone know how i can get around this without using a separate VSYS (i havent tried yet, not 100% sure it will work)?
03-28-2017 05:17 AM
is your customer capable of setting up NAT in their environment ?
you could route 192.168.0.0/24 to their gateway and they could nat it to a /24 of their choice
if there is a specific segment you need to be able to reach at their end you could use policy based forwarding as this redirects packets before they hit the routing table
03-28-2017 08:54 PM
Really trying to avoid having the customer setup something on their end, but yes it is a solution.
I dont think PBF will work as the lookup for the customer 10.10.0.0/16 will break connections to the internal 10.10.0.0/16 network.
03-29-2017 05:39 AM
yeah PBF would only work for a select few ip's...
a very elaborate solution is to set up a second vsys with 2 interfaces (these can be subinterfaces)
it would need an 'internal' interface connected to your dmz or untrust so you can easily route and NAT, on a subnet of 172.16.0.0/30 for example
and an interface leading out to the customer's 10.10.0.0/16
vsys2 would have static NAT set for 192.168.0.0/16 to 10.10.0.0/16 (this would perform a one to one nat, only replacing the first 2 bytes)
vsys1 would then simply need to have source nat to hide your 10.10 range behind the 172.16.0.0/30 IP and a route leading to the second vsys
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
