topic Re: Palo Alto Proxy IDs Bidirectional? in General Topics

Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Tue, 24 Oct 2023 18:03:52 GMT

Hi everyone,

I am a bit confused about proxy IDs when it comes to tunnel negotiation. Lets say I have a tunnel I am building with a vendor. My encryption domain will be 192.168.1.0/24 and my vendor will have 192.168.2.0/24. So lets also say the vendor has an ASA so I will add this proxy id to my phase 2 config: Source 192.168.1.0/24 Destination 192.168.2.0/24. Here is my question: Lets say I need the vendor to also be able to send traffic to me as well as receive my traffic. Is my proxy id bi-directional for the purpose of the vendor being able to initiate/negotiate the tunnel? OR do I need another proxy id as such: Source 192.168.2.0/24 Destination 192.168.1.0/24

Thanks for the help.

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Tue, 24 Oct 2023 18:19:41 GMT

ProxyID is not source/destination but local/remote instead.

It means they are bi-directional.

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Thu, 26 Oct 2023 17:40:42 GMT

Thank you. One additional question:

Lets say I have the following proxyIDs built:

ProxyID1 LOCAL 192.168.2.0/24 REMOTE 10.1.1.0/24

ProxyID2 LOCAL 192.168.10.0/24 REMOTE 10.50.1.0/24

Here is my question, for LOCAL 192.168.10.0 to be able to pass traffic back and forth with REMOTE 10.1.1.0, do I need a separate proxy ID such as this: LOCAL 192.168.10.0 REMOTE 10.1.1.0 ?

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Thu, 26 Oct 2023 19:05:51 GMT

Palo don't care but other end is most likely policy based firewall that routes traffic based on those ProxyID's / encryption domains so most likely yes you need ProxyID for every pair of subnets.

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Mon, 30 Oct 2023 15:06:21 GMT

Hi again Raido, thanks for all of your help. I ran across something else I am questioning in my PA440 config. When there is a NAT rule created for an ipsec tunnel for example: Source address 192.168.1.0/24 Destination address 152.2.0.0/16 Source translation 10.77.120.212 and bidirectional is yes. I only need a static route for the PRE-NAT ip address correct?

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Mon, 30 Oct 2023 15:43:02 GMT

Palo virtual router will route based on POST-NAT destination IP.

In your example you don't seem to change destination IP but source IP so destination PRE-NAT and POST-NAT IPs are the same (unless I misunderstand your requirement to also NAT destination IP).

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Mon, 30 Oct 2023 15:58:08 GMT

I am creating a source nat rule and setting it to bi-directional so the destination nat rule is auto created by the firewall. This means when I view nat rules from command line i see this:

"Example1; index: 86" {
nat-type ipv4;
from inside;
source 192.168.1.0;
to l2lvpn;
to-interface ;
destination 152.2.0.0/16;
service 0:any/any/any;
translate-to "src: 10.77.120.212 (static-ip) (pool idx: 24)";
terminal no;
}

"Example1; index: 87" {
nat-type ipv4;
from any;
source any;
to l2lvpn;
to-interface ;
destination 10.77.120.212;
service 0:any/any/any;
translate-to "dst: 192.168.1.0";
terminal no;
}

My question is, when I create my static routes for the tunnel, do I need a static route for 152.2.0.0 or for my source nat address 10.77.120.212

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Mon, 30 Oct 2023 16:28:18 GMT

I usually prefer not to use bi-directional NAT rules and create 2 rules myself for better control due how bi-directional option messes up zones.

Your example shows that one way source zone is "inside" and destination zone is "l2lvpn"

Other way source zone is "any" and destination zone is "l2lvpn"

But if you don't have 10.77.120.212 in your routing table then destination zone should be "outside" instead for nat policy to match for traffic initiated from peer side.

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Mon, 30 Oct 2023 16:54:21 GMT

Which one of these would be correct given my nat rule example? Sorry, I do not do enough networking to be well versed with it =(

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Mon, 30 Oct 2023 16:56:26 GMT

Can you share screenshot of your NAT policy as well but I would say that destination needs to be

152.2.0.0/16

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Mon, 30 Oct 2023 17:17:16 GMT

Re: Palo Alto Proxy IDs Bidirectional?

Raido_Rattameister — Mon, 30 Oct 2023 18:20:28 GMT

Do you need to use 10.77.120.212 only or can you use /24 subnet like example below?

Re: Palo Alto Proxy IDs Bidirectional?

JTDMHSUPPORT — Mon, 30 Oct 2023 18:22:34 GMT

I can use subnet like your example.