https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559800#M113516 <P><SPAN>How to configure ipsec vpn between palo atto and fortigate firewall .</SPAN></P> <P><SPAN>VPN flow is following</SPAN></P> <P><SPAN>Remote Lan&nbsp;(191.168.1.0/24) &gt;&gt;&gt;&gt;&nbsp; Fortigate (192.168.10.2 private ip)&gt;&gt;&gt;&gt;&gt;Cisco router(203.1.1.2/29)&gt;&gt;&gt;&gt;&gt;PaloAlto(202.1.1.10/30-public ip)----Local lan</SPAN></P> <P><SPAN>fortigate firewall is the behind the NATed device that is cisco router and Cisco Router have public ip (203.1.1.2/29) but Fortigate do not have public ip address and they have private ip(191.168.10.2).NATed device is in front&nbsp;of fortigate.</SPAN></P> <P><SPAN>&nbsp;How can we configure for that?</SPAN></P> Thu, 28 Sep 2023 04:43:31 GMT Chignon 2023-09-28T04:43:31Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559800#M113516 <P><SPAN>How to configure ipsec vpn between palo atto and fortigate firewall .</SPAN></P> <P><SPAN>VPN flow is following</SPAN></P> <P><SPAN>Remote Lan&nbsp;(191.168.1.0/24) &gt;&gt;&gt;&gt;&nbsp; Fortigate (192.168.10.2 private ip)&gt;&gt;&gt;&gt;&gt;Cisco router(203.1.1.2/29)&gt;&gt;&gt;&gt;&gt;PaloAlto(202.1.1.10/30-public ip)----Local lan</SPAN></P> <P><SPAN>fortigate firewall is the behind the NATed device that is cisco router and Cisco Router have public ip (203.1.1.2/29) but Fortigate do not have public ip address and they have private ip(191.168.10.2).NATed device is in front&nbsp;of fortigate.</SPAN></P> <P><SPAN>&nbsp;How can we configure for that?</SPAN></P> Thu, 28 Sep 2023 04:43:31 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559800#M113516 Chignon 2023-09-28T04:43:31Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559860#M113521 <P>Palo side</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1695907280629.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54036i5082834AC2426C11/image-size/medium?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1695907280629.png" alt="Raido_Rattameister_0-1695907280629.png" /></span></P> <P>&nbsp;</P> <P>If Cisco router don't have DNAT rule to forward packets arriving to&nbsp;<SPAN>203.1.1.2 further towards&nbsp;192.168.10.2 then it makes sense to make Palo to be passive.</SPAN></P> <P>&nbsp;</P> <P><SPAN>"Enable NAT Traversal" will encapsulate IPSec packets into UDP packet. This is needed if NAT is involved.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_1-1695907339183.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54037iFEEB91BF82CFB9F8/image-size/medium?v=v2&amp;px=400" role="button" title="Raido_Rattameister_1-1695907339183.png" alt="Raido_Rattameister_1-1695907339183.png" /></span></P> <P>&nbsp;</P> Thu, 28 Sep 2023 13:24:56 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559860#M113521 Raido_Rattameister 2023-09-28T13:24:56Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559889#M113535 <P>Hello,</P> <P>check out&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;reply. The natted firewall/vpn endpoint needs to have the IP listed as the "Peer Identification" IP address. So point your tunnel at the public IP and the Peer Identification as the VPN endpoint device.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 28 Sep 2023 16:09:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-ipsec-vpn/m-p/559889#M113535 OtakarKlier 2023-09-28T16:09:47Z