topic Re: NAT Over IPSEC VPN in General Topics

NAT Over IPSEC VPN

BFCBahrain — Fri, 06 Dec 2013 17:38:45 GMT

Hi,

I am facing a problem with NAT over IPSEC VPN.

I am trying to configure the NAt for incoming traffic from the client over a site to site VPN and basically i want to do a destination translation of the IP they access to my internal server IP.

The Client is in VPN zone and my server sits in the DMZ

I configured Rule like this

Source zone(VPN)-Source IP(Client IP )- Destination Zone(DMZ) -Destination IP(Nated IP) -> NAT -Selected only destination NAT that translate the NAted IP to my DMZ Server IP.

After doing this ,I don't see traffic hitting my firewall .I don't think this could be problem on the VPN as the other traffic over this VPN is working fine .

Issue happens only when I introduce this NAT ..

Can Anyone help here ?

Re: NAT Over IPSEC VPN

kadak — Fri, 06 Dec 2013 19:42:20 GMT

Hello BFCBahrain,

In your destination NAT, your destination zone should still be VPN zone in your original packet. Your security rule would be from VPN to DMZ zone.

You can refer to the following document for the same scenario on page 15-18 :

Understanding PAN-OS NAT

Let me know if that helps!

Thanks and regards,

Kunal Adak

Re: NAT Over IPSEC VPN

BFCBahrain — Fri, 06 Dec 2013 21:28:41 GMT

Thanks a lot Kadak.

I have trired this from VPN to VPN and it did not help..

I have referred the doc and it points to another doc for NAT with VPN

Pleae check the page 9 of this and it says NAT rule is from VPN to Trust !!

https://live.paloaltonetworks.com/docs/DOC-1594

Look at the below link where it says Policy should be from VPN to Untrust .

I tried this also and it did not help .I have an Untrust Zone where I have 2 ISPs are residing on it on 2 Virtual Interfaces.

1/1.1 and 1/1.2 .both are in Untrust-ISP and 1/1 is in Untrust

https://live.paloaltonetworks.com/docs/DOC-1676

Re: NAT Over IPSEC VPN

BFCBahrain — Fri, 06 Dec 2013 21:41:11 GMT

Sorry I have gone tru once again .

Here i think I am using an IP that is not part of my Internal Address range .

So how do i route that IP ?Should I route the Nated IP address.

Can u pls guide.

Re: NAT Over IPSEC VPN

hyadavalli — Sat, 07 Dec 2013 16:01:16 GMT

Hello Bahrain,

consider this when doing any nat.security policy,

the order of packet check is:

1) Destination Nat

2)routing table

3) Source nat

4) Security policy

So when you are doing destination nat destination zone is decided based on route for pre-natted ip address.

Regards,

Hari Yadavalli

Re: NAT Over IPSEC VPN

BFCBahrain — Sun, 08 Dec 2013 19:00:28 GMT

Hi Hyadavalli,

Can you please give me more information ..

I gave my scenario ..can u pls help

Re: NAT Over IPSEC VPN

tasonibare — Mon, 09 Dec 2013 07:12:26 GMT

If you're using an IP address that does not exist on the PA-firewall as your natted-IP, then it means the firewall does not know how to route to this IP normally.

Try using a PBF policy to forward the traffic to your DMZ interface and/or next-hop.

Remember that the firewall makes decisions based on zones. If the IP address is not on any interface on the firewall, then that IP address does not belong to any zones, hence, the firewall does not know what to do with the packets.

Regards,

tasonibare

Re: NAT Over IPSEC VPN

hyadavalli — Mon, 09 Dec 2013 17:26:17 GMT

Hello,

So in your case.

Check in routing table for the natted IP(Not dmz server IP) to verify what ineterface it points to and look for the zone the interface specified to and use that in destination zone for destination nat.

Regards,

Hari Yadavalli