returning packet going back the way they came

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

returning packet going back the way they came

L4 Transporter

Hi

 

I have need to connect to a new site - they have over lapping IP address ranges.

I have agreed to re number - all good. want to setup a IPSEC tunnel and I would like to SNAT all traffic from this new site

 

so lets that I am using 192.168.10-20.0/24 and the space is 192.168.240-250.0/24

So its going to take a while to get it all renumbered

for this lets say I have

192.168.10.0 - vlan 10

192.168.11.0 - vlan 11

192.168.12.0 - vlan 12

192.168.13.0 - vlan 13

192.168.14.0 - vlan 14

 

and I have added a second address range onto vlan14

192.168.244.0 vlan14

on the ipsec tunnel we are using 10.0.0.0/30 .1 their end and .2 my end

 

lets say they have a device on their end 192.168.12.50 thats trying to connect to my device 192.244.50 - lets say ssh

packet coming in on the ipsec tunnel comes in s address of 192.168.12.50 and I snat that to 10.0.0.1

.1 is the default gateway and the PA is .1

so return packet goes 192.244.50 return to 10.0.0.1 , the pa un snat it back to 192.168.12.50, now I want this packet to go back over the ipsec tunnel - can I use PBF will that work

remember I also want packets from 192.244.50 to 192.168.12.50 to not go out of the ipsec tunnel but out vlan 12

On linux I can do this I can tag packet flows and route according to their tag - quick read of PBF seems to sugget is might help I set up PBF from the ipsec tunnel to 192.244.50 and tall it to use the same route back !!

 

Or I can setup a new vsys hide all of the stuff there and do the snat there and then route between vsys...
how easy is it to convert a single setup on a 5220 to a multi vsys setup !!! and how do I route between vsys - haven't found that easy.

 

is doing a vsys the only way to do a vrf / private routing table ??

 

 

 

 

 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

With overlapping subnets at both sides you need NAT policies on both side and different subnet in routing.

 

Example

Site 1 - 192.168.0.0/16

Site 2 - 192.168.0.0/16

 

To access resources from site 1 to site 2 you need to use fake IP let's say 10.2.0.0/16

So you route 10.2.0.0/16 into tunnel towards site 2.

Firewall on site 2 side applies DNAT 10.2.0.0/16 > 192.168.0.0/16

 

To access resouces form site 2 to site 1 you use different fake IP let's say 10.1.0.0/16

So you route 10.1.0.0/16 into tunnel from site 2 towards site 1.

Firewall on site 1 side applies DNAT 10.1.0.0/16 > 192.168.0.0/16

 

Pay attention that unless you add static route for 10.1.0.0/16 and 10.2.0.0/16 towards inside zones they are routed to WAN so NAT rules must have WAN zone as destination for them to match.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi

 

Yes got that if I can nat on both side - if I can't I want to do it all on one side. with a linux box I can do it all on the linux box.

is it not possible with PA

not even with vsys

  • 801 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!