Setting Up Double NAT over a site-to-site VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Setting Up Double NAT over a site-to-site VPN

L0 Member

Hi,

 

I've been trying to read up on if it is possible to set up what Cisco would call "Twice NAT" on Palo Alto, and while there seems to be a lot out there for really odd fringe cases, I'm struggling to find anything on what I think would be a really common scenario. So hopefully someone can help.

 

We currently have 2 organizations that need to share information over a site-to-site VPN tunnel, however there is a shared address space between the 2 networks, for sake of argument lets say it is 192.168.0.0/16. So the shared network would need to be static NAT'd, which at a basic level seems to be easy enough, but then comes the complication.

 

I want to Twice NAT the connection on our side so that we have full administrative control of the NAT without having to co-ordinate with the other company, beyond setting up the initial VPN tunnel.

 

So the question is, can I set up the NAT on our Palo so that it translates from source 192.168.0.0/16 to a source NAT non-shared address space like 10.99.0.0/16 to a destination NAT non-shared address space such as 10.109.0.0/16, and then send the traffic over the VPN to the destination 192.168.0.0/16 address space? And of course have the traffic flow back the other way.

 

I know there will be people who ask why would you want to do that, just configure the NAT on each side of the VPN; and I don't 100% disagree with you. I'm just trying to get an idea of 1) Is it even possible? 2) Even if it's possible would it be even remotely reliable? 3) If it can be done, what are the settings and policies you'd need to make it work?

 

Thanks,

 

Ben.

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Yes they are called overlapping subnets:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSGCA0

If both devices are Palo Alto, you shouldnt need the proxy ID part.

 

Regards,

Hi OtakarKlier,

 

I had seen that article, but it doesn't really help with the question. It says you can solve the problem with NAT, which I already know, but it doesn't go into any detail about what those NAT rules will need to look like. It's also doing NAT on each firewall and my requirement is to do twice NAT (or double NAT) on our firewall only.

 

It also talks about proxy IDs, which I think I will need because only our firewall will be Palo Alto, but I've not really seen any good articles that explain what Proxy IDs are for, and why you might need them.

 

Thanks.

Cyber Elite
Cyber Elite

Hello,

Only the Palo Alto at the customer site needs to do the NAT from the '10.99.0.0/16' to the 192.168.0.0/16 site. The NAT would depend on the direction of traffic from where it is sourced. Lets say its all souced from the customer site, 192.168, etc., then you just need to setup a NAT on the local firewall like you would to the internet, Many-to-One, Hide NAT, Source NAT: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

 

The on the far side firewall to get to the internet you would do the same thing but with the 10.99, subnet to NAT out.

 

Hope that makes sense.

  • 509 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!