https://live.paloaltonetworks.com/t5/general-topics/network-address-translation-nat-support-for-ipsec-esp/m-p/41118#M30210 <HTML><HEAD></HEAD><BODY><P>I have an IPSEC tunnel with a third party and they require that all traffic coming from me to be NATted as they will only accept data traffic coming from the IP of the NAT within the IPSEC tunnel.</P><P>I have been unsuccesfull in trying to figure out how exactly this NAT within an IPSEC tunnel can be applied on a Palo Alto 5020 and would appreciate any comments from other people who have possibly done this before.</P></BODY></HTML> Mon, 20 Aug 2012 23:55:21 GMT jrhine 2012-08-20T23:55:21Z https://live.paloaltonetworks.com/t5/general-topics/network-address-translation-nat-support-for-ipsec-esp/m-p/41118#M30210 <HTML><HEAD></HEAD><BODY><P>I have an IPSEC tunnel with a third party and they require that all traffic coming from me to be NATted as they will only accept data traffic coming from the IP of the NAT within the IPSEC tunnel.</P><P>I have been unsuccesfull in trying to figure out how exactly this NAT within an IPSEC tunnel can be applied on a Palo Alto 5020 and would appreciate any comments from other people who have possibly done this before.</P></BODY></HTML> Mon, 20 Aug 2012 23:55:21 GMT https://live.paloaltonetworks.com/t5/general-topics/network-address-translation-nat-support-for-ipsec-esp/m-p/41118#M30210 jrhine 2012-08-20T23:55:21Z https://live.paloaltonetworks.com/t5/general-topics/network-address-translation-nat-support-for-ipsec-esp/m-p/41119#M30211 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P>This is not a terribly difficult task if you are familiar with how NATing generally works on the PAN firewall.&nbsp; There is one main thing that you will need to make sure though - that the tunnel interface you specified for the tunnel is in a separate zone from the traffic that will be going across the tunnel.&nbsp; As long as you have this done, you will build the NAT rule like this:</P><P></P><P>Source Zone: &lt;your source traffic zone(s)&gt;</P><P>Destination Zone: &lt;your VPN tunnel interface zone&gt;</P><P>Source Address: any (or restricted to a specific IP if you like)</P><P>Source Translation: You have a couple of options here depending on exactly what traffic you are sending across.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 1. If it's coming from multiple hosts specify Dynamic IP and Port and then Translated Address.&nbsp; In the area where you specify an address, either select/create an address object for the address that you are NATing to, or you can just type an address in the field as well.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 2. If it's coming from a single host, you can do the first option, or you can specify it as Static IP and then in the Translated Address area, specify/create an address object for the address that you are NATing to or again, you can just type an address into the field.</P><P></P><P>This is all you should have to do, the rule will look very much like your source NAT policy that translates your user traffic out to the internet except your destination zone will be the zone that your tunnel interface is in and you will not be specifying "Interface Address" as the Source Translated Address.</P><P></P><P>One thing to keep in mind, if your VPN tunnel is currently in the same zone as your trusted network, when you apply a different zone to it, you will need to make sure to add the appropriate firewall rules so that traffic can flow correctly.</P><P></P><P>Mike</P></BODY></HTML> Sat, 25 Aug 2012 22:04:33 GMT https://live.paloaltonetworks.com/t5/general-topics/network-address-translation-nat-support-for-ipsec-esp/m-p/41119#M30211 mike_lutgen 2012-08-25T22:04:33Z