returning packet going back the way they came

Showing results for 
Show  only  | Search instead for 
Did you mean: 

returning packet going back the way they came

L4 Transporter



I have need to connect to a new site - they have over lapping IP address ranges.

I have agreed to re number - all good. want to setup a IPSEC tunnel and I would like to SNAT all traffic from this new site


so lets that I am using 192.168.10-20.0/24 and the space is 192.168.240-250.0/24

So its going to take a while to get it all renumbered

for this lets say I have - vlan 10 - vlan 11 - vlan 12 - vlan 13 - vlan 14


and I have added a second address range onto vlan14 vlan14

on the ipsec tunnel we are using .1 their end and .2 my end


lets say they have a device on their end thats trying to connect to my device 192.244.50 - lets say ssh

packet coming in on the ipsec tunnel comes in s address of and I snat that to

.1 is the default gateway and the PA is .1

so return packet goes 192.244.50 return to , the pa un snat it back to, now I want this packet to go back over the ipsec tunnel - can I use PBF will that work

remember I also want packets from 192.244.50 to to not go out of the ipsec tunnel but out vlan 12

On linux I can do this I can tag packet flows and route according to their tag - quick read of PBF seems to sugget is might help I set up PBF from the ipsec tunnel to 192.244.50 and tall it to use the same route back !!


Or I can setup a new vsys hide all of the stuff there and do the snat there and then route between vsys...
how easy is it to convert a single setup on a 5220 to a multi vsys setup !!! and how do I route between vsys - haven't found that easy.


is doing a vsys the only way to do a vrf / private routing table ??








Cyber Elite
Cyber Elite

With overlapping subnets at both sides you need NAT policies on both side and different subnet in routing.



Site 1 -

Site 2 -


To access resources from site 1 to site 2 you need to use fake IP let's say

So you route into tunnel towards site 2.

Firewall on site 2 side applies DNAT >


To access resouces form site 2 to site 1 you use different fake IP let's say

So you route into tunnel from site 2 towards site 1.

Firewall on site 1 side applies DNAT >


Pay attention that unless you add static route for and towards inside zones they are routed to WAN so NAT rules must have WAN zone as destination for them to match.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011



Yes got that if I can nat on both side - if I can't I want to do it all on one side. with a linux box I can do it all on the linux box.

is it not possible with PA

not even with vsys

  • 2 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!