I believe I know the answer to my dilemma, but wanted to pick the NetworkStackExchange community brain.
We currently perform Twice NAT'ing for a affiliate we have a peer exchange point with using a Palo Alto security device, their device is a straight leg into a router. We do Twice NAT'ing to make it easier for them to distribute a single route-able subnet with in their network to reach our network and vice versa. The issue of overlapping subnets is coming up, and we are currently having issues with because we are using a single security device to perform the NAT'ing. I believe the issue is because the security device makes it's routing decision pre-NAT, based on the documentation found in Palo Alto's Understanding and Configuring NAT.
My question is the only way around overlapping IPs is to do source NAT'ing for each side on two devices?
Thank you,
So if I initiate a ICMP ping like the depiction below I see the echo reply being routed back out the same interface it came in on.
Best Answer
I recommend you to print page 4 of this document because it's a handy tool for troubleshooting.
About packet flow in Palo Alto, check this grahp.
In your case, points of interest could summarize as:
We have to understand your network to propose a different approach. Maybe you could get same results with PBF.
Anyway, I think NAT it's the best approach. In this cases, I always use a 2 rule NAT in one of the peers (or reflexive policy in older PANOS versions). What's the problem with using NAT?
Edit 1:
I thought you just had overlapping network in both sides but onlye one networks wants to communicate with the other peer. The real scenario is that you have overlapping and you want communication between the two overlapping networks. This is a problem related with IP and not Palo Alto at all.
In this particular scenario I can't imagine other solution than tweak destination IP and make a NAT in Palo Alto device. Or obviously, you always can change IP adressing on one of the 2 overlapping networks :).