- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-24-2024 06:25 AM
Hello
I would like to have your support to help me for NAT configuration for both scenario
Scenario1
Our customer request to create an IPsec tunnel between us (mycompany) and Customer. Our users need to reach Web server hosted on Customer site via the VPN IPsec. I want to hide our real IP of user with a dedicated NAT IP or NAT address and I want to NAT the 2 remote webservers IP given by customer with a 2 IP on a dedicated NAT IP to avoid to publish internaly their real IP and avoid clash IP between them and us. How I can configure our Palo Alto to for that ?
Scenario2
It's the same than scenario 1 but I communicate to user the real 2 Web servers IP and just configure NAT to hide our real IP with a dedicated NAT network. In this case, the IP how request the Webserver is not the real IP of user but a NAT IP. How I can configure ?
BR
04-24-2024 10:21 PM
Hello!
The best option to avoid a subnet overlapping is:
I hope this information helps!
Johnny Fernandez
PCNSE | CCNP | JNCIP
04-24-2024 11:16 PM
Hello
Thank you for your answer. My customer sent me the IP of the 2 webserver : 192.168.10.10 & 192.168.10.11. My users are connected on our internal network 10.30.22.10/24
Based on your recommandation to create NAT source and Destination NAT, can y dedicated and use the same NAT subnet for both NAT (NAT subnet : 10.100.10.0/28) and use 10.100.10.1 as the nat IP of webserver1 (192.168.10.10), 10.100.10.2 as NAT IP for webserver2 (192.168.10.11) and configure 10.100.10.0/28 as the NAT source to hide our real IP ? Or I need to define 2 seperate networks : 1 for NAT source and 1 for NAT destination ?
BR
04-28-2024 11:46 PM
Hello
Regarding your post, I need to create 2 rules : One rule for NAT source and One rule for NAT destination or is-it possible to create the NAT and Destination NAT in the same NAT rule ?
BR
04-29-2024 12:40 PM
Correct, this kind of rules are known as 'double NAT' since we translate source and destination' in a single step,
Since customer has a couple servers I advise you to create separate rules to allow scalability and availability and avoid interruptions in case customer needs to remove one of those hosts
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!