- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-22-2020 06:40 AM
Hello,
I want to replace our existing firewall with a PA-850. Thereby I have a problem, which I cannot get solved.
I have to route to an external network, which unfortunately uses the same subnet as ours.
Until now, I have used a small Linux VM, which uses DNAT to convert the addresses.
In principle the PA-850 should be able to do this with another virtual router and NAT rules. At least I hope so.
But I do not know exactly how to implement this.
The attached image should explain the problem:
With kind regards
09-22-2020 11:58 PM
Hello and thanks for your answer.
You have put me in the right direction.
Luckily we don't use the 192.168.0.0/24 range in our /16 subnet.
So I was able to solve the problem via NAT and route without another Linux VM.
But for the solution I needed another virtual router. I can' t bind the 192.168.99.1 interface to the default router because its subnet is already bound to the 192.168.100.15/16 interface.
The following picture should explain my solution:
Thanks a lot!
09-22-2020 11:12 AM
Hi
Can you elaborate? I don't see any overlaps in diagram.
09-22-2020 02:19 PM
The overlap that you have in the 192.168.0.0/16 network isn't something that can be fixed by using a second virtual router. The first routing lookup decision would work to force the 10.0.0.3 address to the correct zone. Once NAT is matched the second routing lookup will take place and then send the traffic to internal network.
If the 192.168.0.0/24 subnet is not used in your network, then you can just a NAT on the firewall and a route to send it to the next hop.
If you are using 192.168.0.0/24 in your network, then this could be resolved by using a second virtual system, but the PA-850 does not support multiple virtual systems. A minimum of PA-3200 is needed to get the multi-vsys feature.
If you can perform a source NAT on the traffic prior to it being received on the PA-850 (Linux VM with DNAT), then you would then use a PBF rule for the source of the Linux VM to the destination of the 192.168.0.3 server, to use the next hop of 192.168.99.252. The Linux VM just needs to be able to route that traffic to the PA-850 for that address/subnet.
09-22-2020 11:58 PM
Hello and thanks for your answer.
You have put me in the right direction.
Luckily we don't use the 192.168.0.0/24 range in our /16 subnet.
So I was able to solve the problem via NAT and route without another Linux VM.
But for the solution I needed another virtual router. I can' t bind the 192.168.99.1 interface to the default router because its subnet is already bound to the 192.168.100.15/16 interface.
The following picture should explain my solution:
Thanks a lot!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!