topic NAT Bidirectionnal,IPSEC NAT-T and secondary address problem in General Topics

NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

JeanLuc974 — Sun, 07 Oct 2012 15:37:45 GMT

Hello,

I am trying to have a Cisco router establishing an IP SEC Tunnel behind a pao alto firewal configured in L3 Mode.

The tunnel should be established on a secondary address on a sub interface

Eth 1 Public, Two Sub interface 1.666 and 1.667

eth1.666 address is x.y.z.131/25

and need the tunnel on x.y.z.132 then I do NAT 1-1 rule with option bidirectionnal The source of the tunnel is 10.35.3.253 on eth2.500

The IKE exchange begin but stop in the middle.

If I use x.y.z.131 no problem, it works.

But I need the 131 address for other things.

What should I do for the NAt 1-1 to accept the secondary address ?

Jean-Luc

Re: NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

ppatel — Mon, 08 Oct 2012 04:46:43 GMT

Is the Cisco establishing the VPN tunnel with the Palo Alto firewall or the firewall is just in a pass through stage for ipsec traffic?

It somehow appears from the description the tunnel is terminating on the firewall. Correct me if I am wrong.

If that is the case and from the description of the two ip-addresses in use , you can use the the feature of secondary ip-address on the interface and not the sub-interfaces.

What I mean is the following:-

Trust Zone:- Internal corporate network

Untrust Zone:- Outside World

VPN zone :- tunnel is in this zone. (VPN users)

From above, 10.30.6.59/24 is the interface address. However the VPN ike-gateway address can be set as a secondary ip-address on the interface as 10.30.6.110/32 as seen above.

Tunnel will be in VPN zone:-

NAT rule should look like the following:-

One rule for the trust users and one for the VPN users (Ip-pool)

Also make sure you have security rules from VPN to Trust and the other way around.

And there is no explicit deny rule in the security rule base.

Let me know if this helps.

Regards

Re: NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

JeanLuc974 — Mon, 08 Oct 2012 05:28:43 GMT

Hello,

The PA-200 is just pass-through.

And the problem is that the response is not correctly forwarded to the Cisco router. The IKE exchange get stuck in the middle :

From one side it says : MM_NO_STATE and from the other MM_SA_SETUP.

I will make a schema and post it.

could it be related to the two public link on the same physical interface ? If absolutely necessary I can ask to have the the two sub interface on two physical one.

thnaks trying to help

Jean-Luc

Re: NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

ppatel — Mon, 08 Oct 2012 05:43:26 GMT

Jean,

If that is the case, we would like see the configuration and review logs on the firewall.

Does the second sub-interface have the ip-address in the same subnet as the first?

Regards

Re: NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

JeanLuc974 — Mon, 08 Oct 2012 05:44:59 GMT

Hello,

Here is the schema:

Hope this can help understanding.

I prefer to terminate the tunnel on the cisco router because we have vrf-lite configuration on it. And if we terminate the VPN on the Palo-Alto, they will not be vrf-aware

Re: NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

JeanLuc974 — Tue, 09 Oct 2012 14:06:40 GMT

Bug from ISP, excuse for the trouble

Jean-Luc