NAT Translations Related to VPN Tunnels

Andrew_Ours — Fri, 11 Jul 2025 17:25:48 GMT

Thanks for any help in advance.

We have many partners that we create VPN tunnels with. To save time and to avoid IP overlap, I would like to dedicate a private subnet like 10.10.0.0/16 and route that subnet toward our Palo firewall that terminates VPNs. I would like to use IP addressing in that subnet to NAT the partner traffic as it comes inbound off of a VPN tunnel. I would like to perform this NAT on the Palo that is terminating VPN tunnels. Sometimes, we have partners that connect to the same server for the same type of resource. Here is an example:

Partner IP address as built on the tunnel: 172.16.1.1 needs to connect to a server in our datacenter at to perform LDAP lookups: 172.20.1.10. In this case (since there may be multiple partners doing this), I would also want to NAT this IP address to one of our public IP addresses before dropping onto the VPN tunnel. For this example, let's assume that we have this public IP address available to NAT to our server: 100.112.2.49. We can use 10.10.10.1 as a NAT for the partner IP address.

To clarify, the "crypto map" would contain these proxy ids: 100.112.2.49 to/from 172.16.1.1

The NAT translation would be:

100.112.2.49 to 172.20.1.10 and 172.16.1.1 to 10.10.10.1

I have this setup in a lab. When I ping from the "partner" side of the VPN, the "Datacenter Server" sees the ping request and responds. The partner side never receives the response. Pinging from the datacenter server, there is no response and with my lab, i cannot determine if the partner side is seeing the request.

Please see attached diagram.

Let me know if there is any other information needed to help.

Thanks,

Andrew

topic NAT Translations Related to VPN Tunnels in Next-Generation Firewall Discussions

NAT Translations Related to VPN Tunnels