05-19-2021 04:40 PM
Currently on the Palo Alto firewall, there are 4 IPSEC VPN Tunnels.
The issue is the following, a sub network of a Tunnel, tunnel that we will call TUNEL-A01, must be able to reach a destination that its destination is in another tunnel, we will call TUNEL-B01, that has the Palo Alto and at the same time be able to USE/apply NAT, when arriving from the TUNEL-A01 the origin, apply NAT and send it to the destination in the TUNEL-B01.
Is this configuration supported by Palo Alto ? Traffic between IPSEC VPN tunnels more SNAT to another Tunnel.
I remain attentive, thank you very much
05-20-2021 12:32 AM
since Palo ipsec tunnels are route-based you can do all the same things as a regular interface
as long as both spokes (remote sites) have a route leading into the tunnel for the desired destination IP, they will send it into the tunnel
if you then apply NAT in the middle, that will work as long as there are no conflicts (using the same IP on both sides)
is there overlap, or are you simply hiding the source subnet? without overlap this is an easy setup (hide-nat behind an IP on the hub)
05-20-2021 09:44 AM
Hello,
I use OSPF, very simple to setup and all the PAN's know all the routes. Then access is determined by security policies.
Regards,
05-20-2021 02:02 PM
Hello, thanks for the answer, friend what do you mean by both sides there is no conflict, do you mean conflicts in the sub network, I understand I only want and I must apply the SNAT on the Palo Alto the Source NAT, and I will also apply a Destination NAT, for the source connections 134.54.120.X/21.
I remain attentive, thank you
05-20-2021 02:05 PM
It's not just PAN, there's Cisco ASA, Fortinet, while it's technically feasible to use OSFP, I only have control and see the PAN part. Attach a diagram.
Best regards and thank you
05-20-2021 02:08 PM
Hello,
Understood. Then static routes should suffice. What Reaper was saying about conflicts is if you have (using the same IP on both sides). Say site A and B both use 192.168.10.0/24. If they all have different subnets, then you dont have to worry about this.
Regards,
05-20-2021 02:20 PM
They are different sub networks. The issue is from the network 134.54.120.0/21 destination 172.16.15.0/24 a DNAT is applied, using an IP of the loopback interfaces ( 123.55.58.X ) being this range the origin, of the connections.
134.54.120.x----DNAT 123.55.58.x ---DNAT---Destination 172.16.15.X/24.
I understand that the 172.16.15.0/24 network site, for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and that of the NAT 123.55.58.0/24.
Support with the diagram, thank you very much.
05-21-2021 05:53 PM
They are different sub networks. The issue is from the network 134.54.120.0/21 destination 172.16.15.0/24 a DNAT is applied, using an IP of the loopback interfaces ( 123.55.58.X ) being this range the origin, of the connections.
134.54.120.x----DNAT 123.55.58.x ---DNAT---Destination 172.16.15.X/24.
I understand that the 172.16.15.0/24 network site, the Fortinet, for the routing and for the return traffic, must have the return routes, i.e. the route to the 134.54.120.0/21 and the 123.55.58.0/24 ( Network for the nat - Loopback in the Palo Alto )
Support with the diagram, thank you very much.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
