overlapping subnets in virtual router and NAT

Showing results for 
Show  only  | Search instead for 
Did you mean: 

overlapping subnets in virtual router and NAT

L3 Networker



I have two virtual routers say customer-1 and customer-2 having subnets (overlapping subnet). Now internet connection line is on eth1/1 which is in default virtual router. Both customer-1 and customer-2 needs to access the internet but I am wondering how source NAT will work in this case?

Also for reverse traffic for subnet in default route will work?




@reaper your comments please

in your scenario the ideal solution would be to have eacht VR connected to the ISP independently, this will prevent collisions with your duplicate IP subnets

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

L7 Applicator

I would setup NAT from one to a non-overlapping subnet on egress from the VR into the ISP VR.


This will give everything a unique address from the ISP VR perspective and return the traffic to the correct sources.


Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks @reaper @pulukas for your comments 

Hi, sorry to bring this thread up as I happened to came across  when searching for a solution to my issue. 


So, I have a setup as below, I'm having 2 VSYS with overlapping subnet (Network A and B) in the trust interface, however, I also added secondary subnets in that same interface, however, this time, the secondary subnets are non overlapping. 


What I did next was, from each VSYS A and VSYS B,  configured Source NAT from Trust to External Zone, translated IP as the secondary subnet interface IP (ie and for VSYS A and B respectively), to reach out to a server in the untrust subnet located in the Main VSYS.


I also have routing configured respectively, as you can see from the diagram, however, I could not reach to the untrust subnet from both VSYS A and B. 


Session browser showed connected sessions from both VSYS A and B trust zones to the Main VSYS untrust zones, with correct source and destination addresses with NAT-ed IP as well.


The following counter global were observed:

Session setup: no destination zone from forwarding

Packets dropped: no route


These counters indicated there there were no routing or routing was incorrect, however, fib route lookup from both VSYS A and B to Main VSYS  to destination in untrust zone in main VSYS was successful.  Route lookup from Main VSYS to VSYS A and B to destination of Source NAT-ed IP ( and 4.1) was successful as well.


Therefore, could anyone verified if SourceNAT is supported in such intervsys routing design?


Screenshot 2020-03-25 at 3.38.03 PM.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!