topic Re: NAT Traversal over IPSEC Tunnel in General Topics

NAT Traversal over IPSEC Tunnel

dan731028 — Thu, 28 Aug 2014 19:38:50 GMT

Guys and Gals,
I have been working to set up NAT-T across an IPSec tunnel between two PA-200's in my lab and am not having success. I have followed documentation and suggestions I could find on this site, but I am unable to get NAT-T working and was wondering if anyone out there could help. In testing I first setup the tunnel with NAT-T configured. On initial configuration, the tunnels came up, but I could not reach the remote firewalls by their assigned NAT IP address across the tunnel. I removed NAT from the equation to make sure my IPSEC tunnel was working. Once I did this, I could get to the remote firewalls across the tunnel using their real IP addresses. So I didn't have to flip back and forth I left the real IP configuration and re-added my NAT configuration, but am still not able to reach the remote side.

Here is my topology. The firewall interfaces are Layer 3 interfaces:

The Cable Modem they connect to has a 4-port switch on the back. The Peer addresses are on the same subnet and are in zone Internet. I have created tunnel.1 and put it in zone IPSEC, and I have a zone named LAN serving DHCP addresses to clients. I want to be able to hit the management interface of the remote firewall over the IPSEC tunnel using the NAT IP address in the topology diagram. To do this I have configured a source NAT and static NAT on both sides.

NAT statement Firewall 1:

Security Policy Firewall 1:

Routing Table Firewall 1:

NAT Statements Firewall 2:

Security Policy Firewall 2:

Routing Table Firewall 2:

I suspect the issue lies within the monitor log. With ICMP pings going across the tunnel I see this in the traffic log:

This tells me the Remote firewall is applying the NAT policy, and it is coming across the tunnel correctly, but I'm not sure why the destination zone is the Internet zone and not the LAN zone. As an aside, if you look at my security policies, you'll see a disabled rule named "tunnel traffic for NAT" this security policy rule allowed zone IPSEC to Internet, but having this rule in place just changed the rule name in the traffic logs. Traffic between a local machine and the remote firewall would not pass. Any clarity on why the firewall is putting the destination zone as Internet, and how I can get the firewall to correctly forward this to the LAN instead would be greatly appreciated.

Re: NAT Traversal over IPSEC Tunnel

dan731028 — Thu, 28 Aug 2014 20:01:11 GMT

So, while I was writing this all out for the forum, I changed my STATIC NAT statement from source zone LAN - destination zone IPSEC to source zone LAN - destination zone Internet on both firewalls, everything began working.

Traffic Log:

Session ID Info:

I guess my question now is why did I need to change the static NAT destination zone from IPSEC to Internet, and once I did that why did the "to zone" in the traffic logs change from Internet to LAN?

Re: NAT Traversal over IPSEC Tunnel

dburns — Thu, 28 Aug 2014 20:28:45 GMT

Pre-Nat rule matching will use a route look up to match the NAT rule prior to applying NAT. I'm guessing 10.10.2.10 would go our the internet zone.

Dominic

Re: NAT Traversal over IPSEC Tunnel

dan731028 — Thu, 28 Aug 2014 21:34:01 GMT

The network 10.10.2.0/24 was marked to go across the tunnel.1 interface for my IPSEC tunnel as a destination network in the routing table. I was expecting even if the NAT was misconfigured, the destination zone would be the IPSEC zone since the traffic came across the tunnel. Instead, until I changed the NAT statement, the firewall was trying to send the traffic destined from zone IPSEC to 10.10.1.10 to the Internet zone instead of NAT-ing the packet to the LAN zone. But, because routes are configured with destination subnets in the routing table, there was not entry in its routing table for 10.10.1.0/24 and the firewall defaulted to its default route during it's pre-nat lookup. I was assuming the firewall would know that traffic destined for 10.10.1.10 (local static nat entry) would nat from zone IPSEC to zone LAN, when in actuality, it looks like the firewall had to send it out it's default route (pre-NAT route lookup), examine NAT policy, and then redirect the packet to the LAN zone.

Do I just need to read up more on how the flow goes for NAT rules, or is there a better way to configure this?

Re: NAT Traversal over IPSEC Tunnel

dburns — Fri, 29 Aug 2014 14:50:39 GMT

Packet Flow in PAN-OS

See this document. You'll notice prior to the NAT policy look up there's a forwarding lookup. The information applied from this forward look up is what is used to match the nat rule (important to note it is not used to match the security rule).

Dominic