https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/public-ips-with-nat-in-ipsec/m-p/445252#M1381 <P>I've got a rather bizarre setup that I'm trying to integrate with a new customer using a vm-series 300 in AWS. I have setup and established an IPSEC tunnel&nbsp; (that even comes up when we attempt to send traffic over the tunnel). Where it gets complicated is that their expectation is that we NAT all traffic using public IPs and send the traffic through the tunnel (I should mention that the other side is a Cisco ASA device).&nbsp;</P><P>&nbsp;</P><P>I've attached a fairly simple diagram of the setup that's been proposed by the customer on the other side ( IP addresses changed for safety). To sum it up quickly:&nbsp;</P><P>&nbsp;</P><P>* we have a tunnel established between 1.1.1.1 and 2.2.2.2, this tunnel comes up when I attempt to send traffic through it<BR />* I've routed both 3.3.3.3/32 (our side of the nat translation) and 4.4.4.4/30 (their side of the nat translation) into the tunnel interface<BR />* when i attempt to send traffic through the tunnel over port 443 (ex: curl <A href="https://10.0.0.1" target="_blank">https://10.0.0.2</A>) from our server the tunnel comes up</P><P>* i can also see in the traffic monitor that the NAT policy appears to be applying (I can see the 10.x addresses NAT'd to the 3.3.3.3 and 4.4.4.4) addresses respectively.&nbsp;<BR /><BR /></P><P>The customer is reporting that no traffic is coming through on their side. When I try to use the packet capture tool on our side and filter based on interface (tunnel.1 in this case), then try to send traffic, I don't see any packets. Is there anyway to verify that traffic is indeed flowing over the tunnel?&nbsp;</P><P>&nbsp;</P><P>I could also have done something really wrong here, but I'd expect that if the tunnel comes up, some traffic is attempting to be sent.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="NAT plan - Copy of Page 1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37470i1AE9533E6E97914B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NAT plan - Copy of Page 1.png" alt="NAT plan - Copy of Page 1.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Nov 2021 14:52:01 GMT birdperson 2021-11-03T14:52:01Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/public-ips-with-nat-in-ipsec/m-p/445252#M1381 <P>I've got a rather bizarre setup that I'm trying to integrate with a new customer using a vm-series 300 in AWS. I have setup and established an IPSEC tunnel&nbsp; (that even comes up when we attempt to send traffic over the tunnel). Where it gets complicated is that their expectation is that we NAT all traffic using public IPs and send the traffic through the tunnel (I should mention that the other side is a Cisco ASA device).&nbsp;</P><P>&nbsp;</P><P>I've attached a fairly simple diagram of the setup that's been proposed by the customer on the other side ( IP addresses changed for safety). To sum it up quickly:&nbsp;</P><P>&nbsp;</P><P>* we have a tunnel established between 1.1.1.1 and 2.2.2.2, this tunnel comes up when I attempt to send traffic through it<BR />* I've routed both 3.3.3.3/32 (our side of the nat translation) and 4.4.4.4/30 (their side of the nat translation) into the tunnel interface<BR />* when i attempt to send traffic through the tunnel over port 443 (ex: curl <A href="https://10.0.0.1" target="_blank">https://10.0.0.2</A>) from our server the tunnel comes up</P><P>* i can also see in the traffic monitor that the NAT policy appears to be applying (I can see the 10.x addresses NAT'd to the 3.3.3.3 and 4.4.4.4) addresses respectively.&nbsp;<BR /><BR /></P><P>The customer is reporting that no traffic is coming through on their side. When I try to use the packet capture tool on our side and filter based on interface (tunnel.1 in this case), then try to send traffic, I don't see any packets. Is there anyway to verify that traffic is indeed flowing over the tunnel?&nbsp;</P><P>&nbsp;</P><P>I could also have done something really wrong here, but I'd expect that if the tunnel comes up, some traffic is attempting to be sent.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="NAT plan - Copy of Page 1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37470i1AE9533E6E97914B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NAT plan - Copy of Page 1.png" alt="NAT plan - Copy of Page 1.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Nov 2021 14:52:01 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/public-ips-with-nat-in-ipsec/m-p/445252#M1381 birdperson 2021-11-03T14:52:01Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/public-ips-with-nat-in-ipsec/m-p/445292#M1382 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/172999">@birdperson</a> ,</P><P>&nbsp;</P><P>Yes, you can see encaps and decaps from Network &gt; IPSec Tunnels &gt; Tunnel Info next to your VPN.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1635959694037.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37477iFBBCEF4ACE67DDA0/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="TomYoung_0-1635959694037.png" alt="TomYoung_0-1635959694037.png" /></span></P><P>&nbsp;</P><P>You can also see them on the CLI with the command 'show vpn flow tunnel-id &lt;tunnel-id&gt; | match "p p"'.&nbsp; This doc is an excellent VPN troubleshooting reference -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A>.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_1-1635960009446.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37478i8ABAC8F4B47EFF9A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="TomYoung_1-1635960009446.png" alt="TomYoung_1-1635960009446.png" /></span></P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Wed, 03 Nov 2021 17:20:16 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/public-ips-with-nat-in-ipsec/m-p/445292#M1382 TomYoung 2021-11-03T17:20:16Z