https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585950#M116944 <P>Of course!</P> <P>&nbsp;</P> <P>You will also need to do a source NAT to a prefix on the public static IP FW so that the return traffic is routed back.&nbsp; The easiest way to do it is put IP addresses on your tunnel interfaces (one on each side) and source NAT to the tunnel IP.&nbsp; The prefix on the tunnels can be a /30 or even a /31.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 07 May 2024 01:18:50 GMT TomYoung 2024-05-07T01:18:50Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585938#M116940 <P>Hello,</P> <P>&nbsp;</P> <P>I have two Pa-440's.&nbsp; One 440 has a public static ip and the other is just dhcp as of right now.&nbsp; &nbsp; &nbsp;I do a site to site to site vpn working between them.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I setup an original port forward on the public&nbsp; static ip device to a local host and it worked great.&nbsp; &nbsp;Now, I moved that host to a subnet on the public dhcp firewall.&nbsp; &nbsp;I tried switching the port forward to the new ip at the remote location across the tunnel interface,&nbsp; but it never seems to work.&nbsp; Is this possible to do?</P> <P>&nbsp;</P> <P>Bryan&nbsp;</P> Mon, 06 May 2024 22:37:17 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585938#M116940 btolkawfp 2024-05-06T22:37:17Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585940#M116941 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1009996901">@btolkawfp</a> ,</P> <P>&nbsp;</P> <P>NAT over VPN is definitely possible.</P> <P>&nbsp;</P> <OL> <LI>Do you have a route pointing to the subnet on the public dhcp firewall to the tunnel interface?</LI> <LI>Did you change the destination zone of the NAT policy rule <EM>and </EM>security policy rule to reflect the change?</LI> <LI>Do you see the failed traffic under Monitor &gt; Logs &gt; Traffic?&nbsp; Many times the log will reveal why it isn't working.</LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 06 May 2024 23:20:33 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585940#M116941 TomYoung 2024-05-06T23:20:33Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585947#M116943 <P>1.)&nbsp; The site to site between firewalls is working</P> <P>2.)&nbsp; the destination zone of the port forward is untrust and untrust&nbsp;</P> <P>3.) no failed logs ..just says incomplete.</P> <P>&nbsp;</P> <P>the issue is getting the client using the public ip and then natting that request through a vpn tunnel and then back to the original firewall.&nbsp;</P> Tue, 07 May 2024 00:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585947#M116943 btolkawfp 2024-05-07T00:48:50Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585950#M116944 <P>Of course!</P> <P>&nbsp;</P> <P>You will also need to do a source NAT to a prefix on the public static IP FW so that the return traffic is routed back.&nbsp; The easiest way to do it is put IP addresses on your tunnel interfaces (one on each side) and source NAT to the tunnel IP.&nbsp; The prefix on the tunnels can be a /30 or even a /31.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 07 May 2024 01:18:50 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585950#M116944 TomYoung 2024-05-07T01:18:50Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585993#M116954 <P>ok that makes more sense.. i am still having a hard time visualizing that source nat configuration.&nbsp; Here is port forward rule.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="btolkawfp_0-1715092442228.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59561i95C480DAE59F0574/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="btolkawfp_0-1715092442228.png" alt="btolkawfp_0-1715092442228.png" /></span></P> <P>&nbsp;</P> <P>I added a tunnel interface of 10.10.10.9/30 to the public dhcp firewall and 10.10.10.10/30 to the static firewall&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for your help.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 07 May 2024 15:18:00 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/585993#M116954 btolkawfp 2024-05-07T15:18:00Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/586023#M116961 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1009996901">@btolkawfp</a> ,</P> <P>&nbsp;</P> <P>You can modify the same rule to NAT the source IP to 10.10.10.10.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 07 May 2024 15:38:52 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/586023#M116961 TomYoung 2024-05-07T15:38:52Z https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/586049#M116969 <P>thanks got it work..</P> <P>&nbsp;</P> Tue, 07 May 2024 17:28:05 GMT https://live.paloaltonetworks.com/t5/general-topics/port-forwarding-through-ipsec-tunnel/m-p/586049#M116969 btolkawfp 2024-05-07T17:28:05Z