https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73744#M41516 <P>What kind of NAT are you trying to do?</P> <P>It is possible to do dynamic-ip-and-port source NAT for sure, I haven't triend other scenarios.</P> Mon, 29 Feb 2016 06:36:15 GMT mvidic 2016-02-29T06:36:15Z https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73724#M41515 <P>Does anyone know if it is possible to NAT over an IPSEC VPN without assigning&nbsp;an IP address on the tunnel interface itself?</P> <P>&nbsp;</P> <P>I tried but it doesn't&nbsp;seem possible.</P> <P>&nbsp;</P> <P>Help!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Duane</P> Sun, 28 Feb 2016 01:18:43 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73724#M41515 Hensley 2016-02-28T01:18:43Z https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73744#M41516 <P>What kind of NAT are you trying to do?</P> <P>It is possible to do dynamic-ip-and-port source NAT for sure, I haven't triend other scenarios.</P> Mon, 29 Feb 2016 06:36:15 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73744#M41516 mvidic 2016-02-29T06:36:15Z https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73750#M41519 <P>Hi Duane</P> <P>&nbsp;</P> <P>you can try adding a loopback interface in the same zone as the vpn interface, then create a nat rule using dynamic ip+port and nat sourced from the loopback</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2816i03D42EA1863AC413/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2016-02-29_08-13-10.png" title="2016-02-29_08-13-10.png" /></P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2817iFB34FD8C43043C5D/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2016-02-29_08-14-57.png" title="2016-02-29_08-14-57.png" /></P> <P>&nbsp;</P> <P>depending on your remote peer you may need to account for this by using proxy-IDs</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2818i7E53BC006189CD15/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2016-02-29_08-17-12.png" title="2016-02-29_08-17-12.png" /></P> <P>&nbsp;</P> <P>hope this helps</P> Mon, 29 Feb 2016 07:17:43 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/73750#M41519 reaper 2016-02-29T07:17:43Z https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/74285#M41651 <P>If you want to &nbsp;configure a NAT rule you should be having an ip address on the interface either statically or assisgned via DHCP</P> <P>&nbsp;</P> <P>Else that will &nbsp;be a Not nat rule for the traffic</P> <P>&nbsp;</P> <P>Are you trying to &nbsp;use tunnel interface in NAT rule &nbsp;?&nbsp;</P> Mon, 07 Mar 2016 16:41:26 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-over-ipsec-vpn-without-an-ip-on-the-tunnel-interface/m-p/74285#M41651 tsrivastav 2016-03-07T16:41:26Z