topic Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel in General Topics

Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

JTDMHSUPPORT — Fri, 18 Aug 2023 18:48:05 GMT

Hi everyone,

I need to do some source/destination NATs on my PA440 for anew ipsec tunnel. I have never had to configure a NAT until now. I have been watching some videos and I understand the basic concept of NAT and why it is needed. My question is, all of the videos I have watched are referencing the outside zone. For my ipsec tunnels, I am using a zone called l2vpn. Would the only difference for my NAT rules be that I reference my l2vpn zone instead of the outside zone?

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

Raido_Rattameister — Sat, 19 Aug 2023 05:34:57 GMT

If you NAT outgoing traffic then source zone is INSIDE and destination zone is OUTSIDE.

If you NAT incoming traffic then source zone is OUTSIDE and destination zone is OUTSIDE.

If you NAT traffic where sessions are initiated from your side towards tunnel then source zone is INSIDE and destination zone is L2VPN.

If you NAT traffic where sessions are initiated from other side of the tunnel towards you then source zone is L2VPN and destination zone is INSIDE (in most cases unless you change destination IP. In this case you might need destination zone to be OUTSIDE if pre-nat IP is not in your routing table).

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

JTDMHSUPPORT — Mon, 21 Aug 2023 15:36:53 GMT

Will I also need Proxy IDs for the NAT ip addresses?

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

BPry — Mon, 21 Aug 2023 16:32:53 GMT

@JTDMHSUPPORT,

Depends on what you're trying to accomplish and whether or not the peer will actually see that NAT addresses or not.

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

JTDMHSUPPORT — Mon, 21 Aug 2023 16:39:16 GMT

Hi BP,

My goal is an IPsec vpn tunnel with a vendor. They want me to nat some of the hosts on my side due to network overlap. I am new to Palo and do not do networking everyday so I am trying to muddle my way through this. Here is my thinking and why I posed the question about the proxy IDs- I have already built proxy IDs for the non natted traffic. Some of the hosts will be natted and some won't. My thought is, if I have proxy IDs created for my hosts for the source ip on my side, then i do not need an additional proxy id for the relevant NAT addresses of either side since the address will be translated before the traffic is sent to my host or sent from my host. But I am no expert on NAT, hence the reason I asked. Thanks for your help.

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

JTDMHSUPPORT — Mon, 21 Aug 2023 17:22:26 GMT

BP,

I just found this:

When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information, because the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

I think that answers my question.

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

BPry — Tue, 22 Aug 2023 14:27:58 GMT

@JTDMHSUPPORT,

Correct, for what you're doing you'd use the post NAT information for proxy IDs. The only time that you wouldn't would be if the tunnel isn't going to see the NAT address. As an example; if you were funneling traffic back to headquarters to route out to the internet or some other restricted resource, you would still use the pre NAT addresses because the tunnel itself wouldn't see the NAT at all.

Re: Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

miasmith500 — Fri, 25 Aug 2023 06:15:09 GMT

Hello,

You're correct in understanding the basics of NAT. While most videos refer to the "outside" zone, in your case with the "l2vpn" zone for IPSec tunnels, the principle remains the same. Instead of the "outside" zone, use the "l2vpn" zone in your NAT rules. Ensure your security policies align, allowing traffic between the relevant source and destination zones. This way, the NAT translations occur correctly before traffic goes through the IPSec tunnel. Always refer to your device's official documentation or support resources for guidance.

Best of luck with your PA-440 NAT configuration for the IPSec tunnel!

I hope this will help you!

(Splunk Training)