10-14-2023 09:15 PM
Hi
I have need to connect to a new site - they have over lapping IP address ranges.
I have agreed to re number - all good. want to setup a IPSEC tunnel and I would like to SNAT all traffic from this new site
so lets that I am using 192.168.10-20.0/24 and the space is 192.168.240-250.0/24
So its going to take a while to get it all renumbered
for this lets say I have
192.168.10.0 - vlan 10
192.168.11.0 - vlan 11
192.168.12.0 - vlan 12
192.168.13.0 - vlan 13
192.168.14.0 - vlan 14
and I have added a second address range onto vlan14
192.168.244.0 vlan14
on the ipsec tunnel we are using 10.0.0.0/30 .1 their end and .2 my end
lets say they have a device on their end 192.168.12.50 thats trying to connect to my device 192.244.50 - lets say ssh
packet coming in on the ipsec tunnel comes in s address of 192.168.12.50 and I snat that to 10.0.0.1
.1 is the default gateway and the PA is .1
so return packet goes 192.244.50 return to 10.0.0.1 , the pa un snat it back to 192.168.12.50, now I want this packet to go back over the ipsec tunnel - can I use PBF will that work
remember I also want packets from 192.244.50 to 192.168.12.50 to not go out of the ipsec tunnel but out vlan 12
On linux I can do this I can tag packet flows and route according to their tag - quick read of PBF seems to sugget is might help I set up PBF from the ipsec tunnel to 192.244.50 and tall it to use the same route back !!
Or I can setup a new vsys hide all of the stuff there and do the snat there and then route between vsys...
how easy is it to convert a single setup on a 5220 to a multi vsys setup !!! and how do I route between vsys - haven't found that easy.
is doing a vsys the only way to do a vrf / private routing table ??
10-15-2023 09:40 AM
With overlapping subnets at both sides you need NAT policies on both side and different subnet in routing.
Example
Site 1 - 192.168.0.0/16
Site 2 - 192.168.0.0/16
To access resources from site 1 to site 2 you need to use fake IP let's say 10.2.0.0/16
So you route 10.2.0.0/16 into tunnel towards site 2.
Firewall on site 2 side applies DNAT 10.2.0.0/16 > 192.168.0.0/16
To access resouces form site 2 to site 1 you use different fake IP let's say 10.1.0.0/16
So you route 10.1.0.0/16 into tunnel from site 2 towards site 1.
Firewall on site 1 side applies DNAT 10.1.0.0/16 > 192.168.0.0/16
Pay attention that unless you add static route for 10.1.0.0/16 and 10.2.0.0/16 towards inside zones they are routed to WAN so NAT rules must have WAN zone as destination for them to match.
10-15-2023 01:16 PM
Hi
Yes got that if I can nat on both side - if I can't I want to do it all on one side. with a linux box I can do it all on the linux box.
is it not possible with PA
not even with vsys
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
