Routes between VPN tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Routes between VPN tunnels

L4 Transporter

Currently on the Palo Alto firewall, there are 4 IPSEC VPN Tunnels.

The issue is the following, a sub network of a Tunnel, tunnel that we will call TUNEL-A01, must be able to reach a destination that its destination is in another tunnel, we will call TUNEL-B01, that has the Palo Alto and at the same time be able to USE/apply NAT, when arriving from the TUNEL-A01 the origin, apply NAT and send it to the destination in the TUNEL-B01.

Is this configuration supported by Palo Alto ? Traffic between IPSEC VPN tunnels more SNAT to another Tunnel.

I remain attentive, thank you very much

High Sticker
8 REPLIES 8

Cyber Elite
Cyber Elite

since Palo ipsec tunnels are route-based you can do all the same things as a regular interface

as long as both spokes (remote sites) have a route leading into the tunnel for the desired destination IP, they will send it into the tunnel

if you then apply NAT in the middle, that will work as long as there are no conflicts (using the same IP on both sides)

 

is there overlap, or are you simply hiding the source subnet? without overlap this is an easy setup (hide-nat behind an IP on the hub)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

Hello,

I use OSPF, very simple to setup and all the PAN's know all the routes. Then access is determined by security policies.

Regards,

L4 Transporter

Nat_SNAT_Palo_Alto_InterTunnelsIpsec.jpg

 

I attach a summary, in the image is the detail, thank you very much.

High Sticker

Hello, thanks for the answer, friend what do you mean by both sides there is no conflict, do you mean conflicts in the sub network, I understand I only want and I must apply the SNAT on the Palo Alto the Source NAT, and I will also apply a Destination NAT, for the source connections 134.54.120.X/21.

I remain attentive, thank you

High Sticker

It's not just PAN, there's Cisco ASA, Fortinet, while it's technically feasible to use OSFP, I only have control and see the PAN part. Attach a diagram.
Best regards and thank you

High Sticker

Hello,

Understood. Then static routes should suffice. What Reaper was saying about conflicts is if you have (using the same IP on both sides). Say site A and B both use 192.168.10.0/24. If they all have different subnets, then you dont have to worry about this.

Regards,

They are different sub networks. The issue is from the network 134.54.120.0/21 destination 172.16.15.0/24 a DNAT is applied, using an IP of the loopback interfaces ( 123.55.58.X ) being this range the origin, of the connections.
134.54.120.x----DNAT 123.55.58.x ---DNAT---Destination 172.16.15.X/24.

 

I understand that the 172.16.15.0/24 network site, for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and that of the NAT 123.55.58.0/24.
Support with the diagram, thank you very much.

High Sticker

@OtakarKlier 

They are different sub networks. The issue is from the network 134.54.120.0/21 destination 172.16.15.0/24 a DNAT is applied, using an IP of the loopback interfaces ( 123.55.58.X ) being this range the origin, of the connections.
134.54.120.x----DNAT 123.55.58.x ---DNAT---Destination 172.16.15.X/24.

 

I understand that the 172.16.15.0/24 network site, the Fortinet, for the routing and for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and the 123.55.58.0/24 ( Network for the nat - Loopback in the Palo Alto )
Support with the diagram, thank you very much.

High Sticker
  • 3730 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!