topic Re: Deploying LSVPN ( Large Scale VPN) with NAT !!! in General Topics

Deploying LSVPN ( Large Scale VPN) with NAT !!!

MinhTuan — Tue, 02 Apr 2013 03:44:44 GMT

I'm newcomer with Palo Alto. I have project to deploy PA using LSVPN . But there is a problem because The Internet Link from ISP & MPLS must Via Router Cisco.

But I wonder , when using Router at Border , that means you must NAT Public IP to Private IP of PA.

So when deploy LSVPN, Traffic is encryped , that mean Router cann't NAT . So how to solve that problem.

I cann't deploy VPN with IPSEC VPN site-to-site because we have many Connection , many HUB & Spoke.

Please help me with answer.

Thanks alot.

Re: Deploying LSVPN ( Large Scale VPN) with NAT !!!

MinhTuan — Wed, 03 Apr 2013 14:04:30 GMT

SO, i wait for longtime. No one has deployed LSVPN yet ? I have confused what kind of LSVPN Deployment , just like SSL VPN or IPSec VPN, and however, if i use with Router, so what Port i need to Allow for LS VPN.

thank so much .

Re: Deploying LSVPN ( Large Scale VPN) with NAT !!!

ericgearhart — Wed, 03 Apr 2013 14:09:04 GMT

A drawing of what you're trying to accomplish might help us understand

But I think from what I've read, a static NAT from a public IP on your router to an inside IP on your PA device should solve the problem of having the PA "behind" the router, right?

Encrypted traffic can be NAT'd... why do you think that encrypted traffic from the PA can't be NAT'd by your edge router?

Re: Deploying LSVPN ( Large Scale VPN) with NAT !!!

MinhTuan — Wed, 03 Apr 2013 15:05:01 GMT

Yeah, i have uploaded my Topology .

We have 3 site. 1 is HQ, 2 Branch.

Every Bratnch have two Connection to HQ via MPLS & Internet.

Now we want to Make VPN to secure Connection . We using LSVPN .But we still have Router infront of PaloAlto

PaloAlto have function like VPN Gateway.

I have some questions:

1 . If we config Static NAT 1-to-1 on Router , is this true ?

2. Actually, i don't know what kind of LSVPN , SSL or IPSec, because IF that is IPSec , we will NAT in Router with Port 500 &4500 , IF SSL VPN, how ?

3. When configuring GlobalProtect , IP when we configure GlobalPortal & GlobalGateway is using Private IP of Palo Alto or using Public IP which provided by ISP.

Re: Deploying LSVPN ( Large Scale VPN) with NAT !!!

MinhTuan — Thu, 04 Apr 2013 10:16:49 GMT

I have test that LAB. I have answer for my question .

In router , we make Static NAT 1-to-1

When configure GlobalProtect in HUB. , some infomations are very important.

1. When generating Certificate from CA , you must using Common Name is Public IP of HUB . In this scenaro is 222.0.0.1

2. When configure Global Portal from HUB, in Satellite Configuration --- Gateway is : Private IP of Hub . In this scenaro is 192.168.1.2

When configure in Spoke ... make IPSec tunnel., IP of Portal is : Public IP of HUB . In this scenaro is 222.0.0.1

Re: Deploying LSVPN ( Large Scale VPN) with NAT !!!

ericgearhart — Thu, 04 Apr 2013 14:16:24 GMT

Nice! Thanks for sharing your final solution. I haven't done anything with LSVPN yet, but it's in the back of my mind if/when we start deploying remote PA firewalls to some of our remote offices.