This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Source NAT on a IPSec VPN tunnel due to overlapping IP space.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Source NAT on a IPSec VPN tunnel due to overlapping IP space.

Go to solution
nson2139
L3 Networker

‎06-16-2020 12:41 AM

Folks,

 

Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC. 

The access would be unidirectional with the Customer accessing on-prem resources.

 

The first challenge is that we have overlapping IP addresses at the customers end.

 

Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. we want to avoid a interface based NAT.

There should be some way of identifying the IP address individually on the IPS behind the VPN Palo Alto firewall.

Any suggestions?

 

VPN tunnel.jpg

 

 

Thanks!!

N.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OwenFuller
L4 Transporter

‎06-16-2020 11:14 AM - edited ‎06-16-2020 11:19 AM

I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-... ).  However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN).  If you could do this at the customer side before it crosses the tunnel, that might be better.

EDIT:  Actually, the more I think about it, that's going to cause the same problem on the other side then.  Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address.  Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.

View solution in original post

0 Likes Likes
(1)
1 REPLY 1

Go to solution
OwenFuller
L4 Transporter

‎06-16-2020 11:14 AM - edited ‎06-16-2020 11:19 AM

I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-... ).  However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN).  If you could do this at the customer side before it crosses the tunnel, that might be better.

EDIT:  Actually, the more I think about it, that's going to cause the same problem on the other side then.  Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address.  Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.

0 Likes Likes
(1)
  • 1 accepted solution
  • 8019 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks