topic Re: Sub-interface and zone || IPSec tunnel with AWS in Next-Generation Firewall Discussions

Sub-interface and zone || IPSec tunnel with AWS

Doyenadmin — Sun, 28 Aug 2022 05:36:08 GMT

Hi Team,

2 queries.

1. I have 2 physical interfaces on which i have configured multiple sub-interfaces.

say for eg eth1/7 - eth1/7.1, eth1/7.2, eth1/7.3

eth 1/8 - eth1/8.20, eth1/8.21, eth1/8.22.

and my both physical and subinterfaces are in same zone - say trust zone.

Now i have an urgent requirement and i cannot addup new physical interface so can i add a new subinterface in either 1/7 or 1/8 eg eth1/7.5 or eth1/8.25 and can i add it to a new zone ?? and create policies or Inbound nat policies on that interface.

Little confused if that will work. Appreciate if someonce can guide few points on this.

2nd query.

---------------------

I am creating IPsec tunnel with AWS CGW, so it ask to create 2 tunnels, and it says to create PBF, NAT-no nat, tunnel monitor, i have created all that but still both of phases are still down, can someone share me documents i can refer to create tunnel with aws cgw.

regards,

Re: Sub-interface and zone || IPSec tunnel with AWS

OtakarKlier — Mon, 29 Aug 2022 19:21:03 GMT

Hello,

For the first question, yes. The interfaces can be in different zones. For the second question. Sounds like phase 1 and 2 are not configured correctly on both sides.

Regards,

Re: Sub-interface and zone || IPSec tunnel with AWS

Doyenadmin — Mon, 29 Aug 2022 19:53:48 GMT

Yes you were right, phase 1 and config was incorrect, also found something strange, customer configured at aws end - Phase 1 as group 5 , sha1, and aes-128-cbc but in the configuration file which is downloaded from aws end shows different config, that is why we configured different parameters on PA end.

now both tunnels are up.

and fir the 1st query - I have question.

lets say i have eth1/7 with multiple subinterfaces

1/7.1, 1/7.2, 1/7.3 - DMz_1 zone

1/7.4 Dmz_2 zone

for DMZ 2 zone my actual traffic is coming from tunnel -aws - AWS zone.

now i need to DNAT that traffic on private pool IP’s

how can i create DNT policy for this scenario??

Re: Sub-interface and zone || IPSec tunnel with AWS

OtakarKlier — Mon, 29 Aug 2022 20:23:39 GMT

Unless you have overlapping subnets, ie same subnet on both sides of the tunnel. I wouldnt nat the traffic.

Re: Sub-interface and zone || IPSec tunnel with AWS

Doyenadmin — Tue, 30 Aug 2022 07:28:23 GMT

Hello OtakarKlier

DNAT Policy

original packet

----------------------------

Source Zone - AWS Zone

Destination Zone - Aws Zone

Source Address- Peer subnets

Destination addr - my dmz SUB-interface IP - 10.240.x.x

Destination interface - tunnel.9

Services - any

translated packet

-----------------------------

Destination NAT

Static

IP - PRivate ip - 10.34.x.x

translated port - ---- any ---

Security policy

------------------

Src zone - AWS ZOne

src addr - peer subnets

destzone - DMZ ZONE

dest addr - 10.34.x.x

Service - https , http

Action - allow

Will this be correct if my traffic is coming from aws tunnel ??

Please guide if m wrong in any part .

Re: Sub-interface and zone || IPSec tunnel with AWS

Doyenadmin — Tue, 06 Sep 2022 07:24:00 GMT

Subnets are different say one side is 10.34.x.x and another side is 10.2.x.x

but still if i want to hide my backend pool IP's I can do the NAT right ?

Re: Sub-interface and zone || IPSec tunnel with AWS

OtakarKlier — Tue, 06 Sep 2022 18:11:27 GMT

Hello,

You can. But can get very complicated.

Regards,

Re: Sub-interface and zone || IPSec tunnel with AWS

Doyenadmin — Tue, 06 Sep 2022 18:16:58 GMT

Thanks otakarklier. I have tested the same it works successfully.