Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC.
The access would be unidirectional with the Customer accessing on-prem resources.
The first challenge is that we have overlapping IP addresses at the customers end.
Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. we want to avoid a interface based NAT.
There should be some way of identifying the IP address individually on the IPS behind the VPN Palo Alto firewall.
I would think you could do with a Dynamic IP NAT to achieve the 1:1 NAT you're wanting (see https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-... ). However, I think if you're doing this on the corporate side, you're going to have a problem with conflicting routes (10.10.10.0/24 is both down the tunnel, and on the LAN). If you could do this at the customer side before it crosses the tunnel, that might be better.
EDIT: Actually, the more I think about it, that's going to cause the same problem on the other side then. Maybe you'll have to NAT both directions with two different pools that don't conflict with the 10.10.10.0/24 address. Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!