topic Re: NAT rule for IPSEC VPN using NAT-T in General Topics

NAT rule for IPSEC VPN using NAT-T

iguarino — Wed, 01 May 2013 15:27:30 GMT

I'm running PANOS 4.0.13 and I've enabled NAT-T via the command line. I'm having trouble getting traffic to pass and I assume it must be my NAT policy.

1. I set a destination NAT as the vendor will be the initiator. The NAT is defined like this:

srczone: Vendor-VPN

dstzone: Untrust dstaddr: NAT IP (172.1.1.1.) dst translation addr: Real IP (10.1.1.1)

After writing this, perhaps the dstzone should be Trust, but I don't see that as the proper designation from the Doc's I'm reading.

2. I also tried making a Bi-Directional static Source NAT like so, but it doesn't appear to be working:

srczone: Trust srcaddr: real IP (10.1.1.1) src translation addr: nat IP (172.1.1.1.)

dstzone: Vendor-VPN

Please let me know your suggestions.

Re: NAT rule for IPSEC VPN using NAT-T

Retired Member — Sun, 09 Jun 2013 02:29:52 GMT

what do you see in traffic logs related to VPN ?

That will give information where you make a mistake in NAT

Re: NAT rule for IPSEC VPN using NAT-T

apasupulati — Tue, 11 Jun 2013 16:17:51 GMT

For your destination NAT: Assuming 'Vendor-VPN' is the zone the tunnel terminates on,

NAT rule should be:

srczone: Vendor-VPN

dstzone: Vendor-VPN dstaddr: NAT IP (172.1.1.1.); dst translation addr: Real IP (10.1.1.1)

Security policy:

srczone: Vendor-VPN

dstzone: Trust dstaddr: NAT IP (172.1.1.1.)

Looks like the bi-directional static NAT should have worked as well, not sure why it didn't. You can trace the NAT IP/nat rules/security rules matching the traffic from the traffic logs.

Thanks,

Aditi