topic VPN Tunnel IPSEC L2L VPN NAT not acting as intended in General Topics https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-ipsec-l2l-vpn-nat-not-acting-as-intended/m-p/463185#M102335 <P>I am Labbing up a configuration I am about to go live with in production but it is not acting as it should when trying to apply a NAT rule to a tunnel interface. When I apply individual rules to the vpn traffic as I would like it to act I am not getting the intended result. I have to select bi-direction to get the NAT rule to act as it should. It works that way but it bugs me on why it is not working as intdended.&nbsp;<BR /><STRONG>Zones:</STRONG></P><P>WAN<BR />VPN</P><P>LAB</P><P>NAT</P><P><STRONG>NAT Rules</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="11.11111111111111%">Name</TD><TD width="11.11111111111111%">Src Zone</TD><TD width="11.11111111111111%">Dest zone</TD><TD width="11.11111111111111%">dest int</TD><TD width="11.11111111111111%">src addr</TD><TD width="11.11111111111111%">dest adds</TD><TD width="11.11111111111111%">service</TD><TD width="11.11111111111111%">src translation</TD><TD width="11.11111111111111%">dest translation</TD></TR><TR><TD width="11.11111111111111%">VPN-OUT</TD><TD width="11.11111111111111%">LAB</TD><TD width="11.11111111111111%">VPN</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">192.168.110.0/24</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">static-ip&nbsp;<BR />10.0.110.0/24<BR />bi-directional: <EM>no</EM></TD><TD width="11.11111111111111%">none</TD></TR><TR><TD width="11.11111111111111%">VPN-IN</TD><TD width="11.11111111111111%">VPN</TD><TD width="11.11111111111111%">VPN&nbsp;</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">10.0.110.0/24</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">none</TD><TD width="11.11111111111111%">address 10.0.110.0/24</TD></TR></TBODY></TABLE><P>If I change bi-directional to yes on VPN out the both directions work. If I leave it as NO the traffic does not hit VPN-IN no matter what I do.&nbsp;</P><P>&nbsp;</P><P>any suggestions of what is going on is greatly appreciated.&nbsp;</P><P>&nbsp;</P><P>Thanks,&nbsp;</P><P>Matt</P> Thu, 03 Feb 2022 18:56:37 GMT alliman 2022-02-03T18:56:37Z VPN Tunnel IPSEC L2L VPN NAT not acting as intended https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-ipsec-l2l-vpn-nat-not-acting-as-intended/m-p/463185#M102335 <P>I am Labbing up a configuration I am about to go live with in production but it is not acting as it should when trying to apply a NAT rule to a tunnel interface. When I apply individual rules to the vpn traffic as I would like it to act I am not getting the intended result. I have to select bi-direction to get the NAT rule to act as it should. It works that way but it bugs me on why it is not working as intdended.&nbsp;<BR /><STRONG>Zones:</STRONG></P><P>WAN<BR />VPN</P><P>LAB</P><P>NAT</P><P><STRONG>NAT Rules</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="11.11111111111111%">Name</TD><TD width="11.11111111111111%">Src Zone</TD><TD width="11.11111111111111%">Dest zone</TD><TD width="11.11111111111111%">dest int</TD><TD width="11.11111111111111%">src addr</TD><TD width="11.11111111111111%">dest adds</TD><TD width="11.11111111111111%">service</TD><TD width="11.11111111111111%">src translation</TD><TD width="11.11111111111111%">dest translation</TD></TR><TR><TD width="11.11111111111111%">VPN-OUT</TD><TD width="11.11111111111111%">LAB</TD><TD width="11.11111111111111%">VPN</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">192.168.110.0/24</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">static-ip&nbsp;<BR />10.0.110.0/24<BR />bi-directional: <EM>no</EM></TD><TD width="11.11111111111111%">none</TD></TR><TR><TD width="11.11111111111111%">VPN-IN</TD><TD width="11.11111111111111%">VPN</TD><TD width="11.11111111111111%">VPN&nbsp;</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">10.0.110.0/24</TD><TD width="11.11111111111111%">any</TD><TD width="11.11111111111111%">none</TD><TD width="11.11111111111111%">address 10.0.110.0/24</TD></TR></TBODY></TABLE><P>If I change bi-directional to yes on VPN out the both directions work. If I leave it as NO the traffic does not hit VPN-IN no matter what I do.&nbsp;</P><P>&nbsp;</P><P>any suggestions of what is going on is greatly appreciated.&nbsp;</P><P>&nbsp;</P><P>Thanks,&nbsp;</P><P>Matt</P> Thu, 03 Feb 2022 18:56:37 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-ipsec-l2l-vpn-nat-not-acting-as-intended/m-p/463185#M102335 alliman 2022-02-03T18:56:37Z Re: VPN Tunnel IPSEC L2L VPN NAT not acting as intended https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-ipsec-l2l-vpn-nat-not-acting-as-intended/m-p/463232#M102341 <P>Hello,</P> <P>If you are using a bi-directional NAT. I would recommend you set it to yes. This prevent asymmetric routing and could cause applications to fail.</P> <P>Here is an article that may help.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 03 Feb 2022 21:14:58 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-ipsec-l2l-vpn-nat-not-acting-as-intended/m-p/463232#M102341 OtakarKlier 2022-02-03T21:14:58Z