This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Special NAT configuration. Asking about possibility

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Special NAT configuration. Asking about possibility

Go to solution
jeremylo
L3 Networker

‎03-05-2021 12:16 AM - edited ‎03-05-2021 12:17 AM

I have a working Hub & Spoke VPN network. Computers in Spoke1 can reach the computers in Spoke2 and vice versa. 

For some reason, a particular device in Spoke2 with IP 172.16.200.62 can only be reached by the computers in the same subnet. 

I want to know is it possible to assign a 172.16.200.x IP address to the computers in Spoke1 when they attempt to connect to that special device. I'm not sure this will achieve my target or not, but at least I can learn a new NAT technique if such configuration does exist.

 

The 3 firewalls below are PA-820.

 

HubAndSpoke.jpg

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Pawel_G
L1 Bithead

‎03-05-2021 11:02 AM

Hello,

 

Simple fix for this is by creating a NAT rule

Nat from Spoke1 to Spoke2 -

Source Zone - Tunnel Interface Spoke1

Source IP Address - 192.168.100.0/24

Destination Zone  - Tunnel Interface Spoke2

Destination Address - 172.16.200.0/24

Source Translation - Dynamic IP and Port

Translated IP - 172.16.200.100

 

I hope this will help

 

 

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
JoergSchuetter
L4 Transporter

‎03-05-2021 12:42 AM

Hello @jeremylo 

Why don't you apply a source NAT on Spoke 2 (hiding all requests to 172.16.200.62 behind the firewall interface 172.16.200.x)?

0 Likes Likes

Go to solution
Pawel_G
L1 Bithead

‎03-05-2021 11:02 AM

Hello,

 

Simple fix for this is by creating a NAT rule

Nat from Spoke1 to Spoke2 -

Source Zone - Tunnel Interface Spoke1

Source IP Address - 192.168.100.0/24

Destination Zone  - Tunnel Interface Spoke2

Destination Address - 172.16.200.0/24

Source Translation - Dynamic IP and Port

Translated IP - 172.16.200.100

 

I hope this will help

 

 

0 Likes Likes

Go to solution
jeremylo
L3 Networker
In response to Pawel_G

‎03-07-2021 05:56 PM - edited ‎03-07-2021 06:00 PM

Bingo! It works!

Thanks Pawel.

0 Likes Likes

Go to solution
jeremylo
L3 Networker
In response to JoergSchuetter

‎03-07-2021 05:59 PM

Hello Joerg,

This is a solution too. However, I also want to keep track of which computer in Spoke1 have connected to Spoke2.

0 Likes Likes
  • 1 accepted solution
  • 2997 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks