Source NAT on a IPSec VPN tunnel due to overlapping IP space.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Source NAT on a IPSec VPN tunnel due to overlapping IP space.

Folks,

 

Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC. 

The access would be unidirectional with the Customer accessing on-prem resources.

 

The first challenge is that we have overlapping IP addresses at the customers end.

 

Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. we want to avoid a interface based NAT.

There should be some way of identifying the IP address individually on the IPS behind the VPN Palo Alto firewall.

Any suggestions?

 

VPN tunnel.jpg

 

 

Thanks!!

N.


Accepted Solutions
Highlighted
L4 Transporter

I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-... ).  However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN).  If you could do this at the customer side before it crosses the tunnel, that might be better.

EDIT:  Actually, the more I think about it, that's going to cause the same problem on the other side then.  Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address.  Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.

View solution in original post


All Replies
Highlighted
L4 Transporter

I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-... ).  However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN).  If you could do this at the customer side before it crosses the tunnel, that might be better.

EDIT:  Actually, the more I think about it, that's going to cause the same problem on the other side then.  Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address.  Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!