https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14739#M10820 <HTML><HEAD></HEAD><BODY><P>Hello.</P><P></P><P>I'm doing a firewall migration where i encountered a following situation:</P><P>- customer has site-to-site VPNs terminated on public IP address, let's say 1.1.1.1</P><P>- customer is using PPTP VPN solutio<SPAN style="font-size: 10pt; line-height: 1.5em;">n which is also terminated on same IP address 1.1.1.1 and DNAT-ed to PPTP server, let's say on address 10.10.10.10</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">- on current fw they have a DNAT rule for just TCP 1723 and GRE protocol which translates packets with destination 1.1.1.1 to 10.10.10.10</SPAN></P><P></P><P>But as PA doesn't support use of GRE (protocol or application) in NAT rules i have to make a more general rule which translates every packet coming to 1.1.1.1 to 10.10.10.10</P><P>Will site-to-site VPNs terminating on PA on IP address 1.1.1.1 still work in such scenario? Or will they be forwarded to PPTP server?</P><P></P><P>Best regards, </P><P>Simon</P></BODY></HTML> Mon, 15 Dec 2014 12:53:44 GMT santonic 2014-12-15T12:53:44Z https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14739#M10820 <HTML><HEAD></HEAD><BODY><P>Hello.</P><P></P><P>I'm doing a firewall migration where i encountered a following situation:</P><P>- customer has site-to-site VPNs terminated on public IP address, let's say 1.1.1.1</P><P>- customer is using PPTP VPN solutio<SPAN style="font-size: 10pt; line-height: 1.5em;">n which is also terminated on same IP address 1.1.1.1 and DNAT-ed to PPTP server, let's say on address 10.10.10.10</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">- on current fw they have a DNAT rule for just TCP 1723 and GRE protocol which translates packets with destination 1.1.1.1 to 10.10.10.10</SPAN></P><P></P><P>But as PA doesn't support use of GRE (protocol or application) in NAT rules i have to make a more general rule which translates every packet coming to 1.1.1.1 to 10.10.10.10</P><P>Will site-to-site VPNs terminating on PA on IP address 1.1.1.1 still work in such scenario? Or will they be forwarded to PPTP server?</P><P></P><P>Best regards, </P><P>Simon</P></BODY></HTML> Mon, 15 Dec 2014 12:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14739#M10820 santonic 2014-12-15T12:53:44Z https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14740#M10821 <HTML><HEAD></HEAD><BODY><P>A bit more complications: yes i know I can make a no-nat rule above the mentioned DNAT rule for known VPN endpoints. <SPAN style="font-size: 10pt; line-height: 1.5em;">But a couple of VPN endpoints will have dynamic IP addresses</SPAN></P></BODY></HTML> Mon, 15 Dec 2014 12:57:44 GMT https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14740#M10821 santonic 2014-12-15T12:57:44Z https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14741#M10822 <HTML><HEAD></HEAD><BODY><P>You can write your nat rules to be more specific on the port for forwarding in order to distinguish these two servers on the same ip address.</P><P></P><P>When you create the nat rule you can leave any source and make the destination port the PPTP port with the translation then to that server.</P><P></P><P>the site to site will arrive on the interface as IPSEC traffic and not hit the PPTP rule at all.</P></BODY></HTML> Tue, 16 Dec 2014 00:02:00 GMT https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14741#M10822 pulukas 2014-12-16T00:02:00Z https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14742#M10823 <HTML><HEAD></HEAD><BODY><P>PPTP includes TCP session on port 1723 and GRE session.</P><P>Yes, I can make more specific NAT rule for TCP session.</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">But I can't use application or protocol in NAT rule so I can't make specific NAT rule for GRE. </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">I also can't make no-NAT rule to prevent NAT for VPN tunnels as it also uses ESP which can't be used in NAT policy.</SPAN></P></BODY></HTML> Tue, 16 Dec 2014 07:28:15 GMT https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14742#M10823 santonic 2014-12-16T07:28:15Z https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14743#M10824 <HTML><HEAD></HEAD><BODY><P>I had assumed that the dependent GRE session created by the PPTP session would nat with the ALG.&nbsp; But this is apparently not the case as PPTP is not on this list of ALG that nat correctly.&nbsp; You may want to open a case to see if there is a work around for this.</P><P></P><P>You may also want to be sure there is a feature request filed by your sales engineer to add PPTP to this list in a future release.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-8371">Applications that Support NAT ALG (Application Layer Gateway) Functionality</A></P></BODY></HTML> Sat, 20 Dec 2014 13:27:09 GMT https://live.paloaltonetworks.com/t5/general-topics/pptp-nat-and-site-to-site-ipsec-vpn-on-same-ip-address/m-p/14743#M10824 pulukas 2014-12-20T13:27:09Z