Jump to content


Photo

[Azure] Site-to-site IPSec VPN and overlapping addresses


  • Please log in to reply
5 replies to this topic

#1 Kamil Bielawa

Kamil Bielawa
  • Members
  • 10 posts

Posted 30 August 2017 - 04:52 AM

Hi all,

 

We have following scenario:

 

Barracuda NGF F-series deployed in Azure in network 10.100.0.0/24

Client A office using network 10.100.0.0/24

Client B office using network 10.100.0.0/24

 

We need to connect both offices to Azure (so that the offices see Azure, they don't see each other). That would be quite simple without overlapping address space, but how can we solve it with the overlap?



#2 Steve Vickers

Steve Vickers
  • Barracuda Team Members
  • 45 posts

Posted 31 August 2017 - 02:28 AM

Hi,

 

you can do this using a Map Rule and Translation Map for one or both destination networks:

 

https://campus.barra...reateNATTables/

 

https://campus.barra...WCreateMapRule/



#3 Alex Creech

Alex Creech
  • Members
  • 1 posts

Posted 02 September 2017 - 06:56 AM

Could someone provide a recipe\example for this scenario? Azure would need user defined routes and network securty groups setup also, right?



#4 A. Remili

A. Remili
  • Members
  • 12 posts
  • LocationParis, FRANCE

Posted 26 September 2017 - 11:19 AM

Hiya,

 

I am also interested in the process if anyone has a recipe lol

 

cheers



#5 Bartek Moczulski

Bartek Moczulski
  • Barracuda Team Members
  • 102 posts
  • LocationEMEA

Posted 11 October 2017 - 03:49 AM

The missing bit of information here is that you need address translation on the branch office boxes (assuming you have them). So the recipe (with example subnets) is:

 

on Branch A Box:

- firewall rule passing traffic from 10.100.0.0/24 to Azure and mapping source (using translation map) to 10.101.0.0/24

- VPN to Azure with local network 10.101.0.0/24

 

on Branch B box:

- firewall rule passing traffic from 10.100.0.0/24 to Azure and mapping source (using translation map) to 10.102.0.0/24

- VPN to Azure with local network 10.102.0.0/24

 

on Azure box:

- pass traffic from 10.101.0.0 and 10.102.0.0 with Dynamic SNAT

 

downside: Azure boxes do not see original client IP, neither port. You can optionally map the source back to 10.100.0.0/24 on the Azure box firewall (+set UDR in Azure to send data towards 10.100.0.0 via NGF box). Remember, if setting UDR, NGF needs to be in a different subnet than your Azure resources.



#6 Kiran Bheemarti

Kiran Bheemarti
  • Members
  • 1 posts

Posted 28 November 2018 - 06:47 PM

Hi

 

How can we achieve the same without NAT on BranchA and BranchB boxes.

 

My scenario is similar

 

OnPrem1 (10.10.0.0/24)

OnPrem2 (10.10.0.0/24)

 

Azure VNet (10.0.0.0/16)

 

Installed Barracuda F-Series in Azure VNet. 

 

I need to set up site-2-site tunnels from OnPrem1 to Azure and OnPrem2 to Azure, but I don't have control on OnPrem1 and OnPrem2 routers, adding NAT rules is not an option. 

 

How can I achieve this overlapping address space site-2-site topology?

 

Thanks

Kiran