Remote Network Locations with Overlapping Subnets

Learn how to onboard two remote network locations that have overlapping subnets to Prisma Access.
As a general rule, you cannot have any overlapping subnets within a Prisma Access deployment. That is, the subnets for all remote network locations, your service connections, and your Prisma Access for mobile users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping subnets; for example:
  • Your organization has two WAN links that you want to combine for a higher bandwidth throughput in a single remote network location (an active/active WAN deployment).
  • You want to configure an overlapping subnet deployment by design (for example, your organization uses the same network topology and IP assignments across multiple retail locations).
  • Your organization has one fast WAN link and a slower WAN link, and you want to add both of them to a remote network and designate the WAN link for traffic based on the subnet or application. For example, you might want to route all guest Wi-Fi traffic over one WAN and all other traffic over the other WAN, or you might want to send all web traffic over one WAN and all other traffic over the other WAN.
  • You acquired a company that uses subnets that overlap with your existing subnets you have in use.
Prisma Access allows you to onboard remote network locations with overlapping subnets, as long as you select
Overlapped Subnets
check box in the remote network settings when you Onboard and Configure Remote Networks.
Remote network connections with overlapped subnets support outbound internet only. Refer to the table in the following figure for more details. You can bypass these limitations by configuring source NAT on the on-premise Palo Alto Networks next-generation firewall (if present) or networking device (router, switch, or SD-WAN device) that connects to the IPSec tunnel used for the remote network connection with overlapped subnets.
If you add a location with overlapping subnets, it has no effect on locations that don’t use overlapping subnets; those sites retain their existing functionality.

