https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/184018#M56474 <P>I don't have an Untrusted zone as an option. But yes the 172.25.43.1/32 is just an object to match Proxy-ID setup in a VPN tunnel. It is not a part of an internal network. I do have active security polices allowing these Inside, DMZ and Subnets between them and the VPN zone.</P><P>&nbsp;</P><P>Below is the destination NAT that doesn't work.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT-Trans-Not-Working.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12134i5753B82E4FFCDA20/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="NAT-Trans-Not-Working.PNG" alt="NAT-Trans-Not-Working.PNG" /></span></P><P>These are source NAT entries that work only when traffic is initiated from Trusted or DMZ resouces. When traffic is initiated from the VPN resource it doesn't work. Even when Bi-Directional is enabled. On most firewalls this source NAT configuration set to Bi-Directional is all that is required.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT-Trans-Working.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12135i3C1B87E26E45D498/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="NAT-Trans-Working.PNG" alt="NAT-Trans-Working.PNG" /></span></P> Thu, 26 Oct 2017 22:02:21 GMT bshuman 2017-10-26T22:02:21Z https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/181359#M56035 <P>Hello</P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">I'm having a very similar issue with trying to configure a NAT translation from VPN to Trusted zone. In my case I'm building a VPN tunnel for monitoring using /32 ProxyIDs. My configuration VPN ProxyID is like the example below:</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Remote:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Local:</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">3.3.3.3/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; 172.25.40.3/32</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">My NAT is configured as follows.</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Source Zone:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dest Zone:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dest Address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Destination Trans:<BR /></SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">VPN &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3.3.3.3/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.25.40.3/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.100.10.10/32</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">I can't get the translation to happen when send pings from the VPN and that's what I need working. </SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">If I switch from a Dest translation to Source translation it works when I ping from Trust to VPN. </SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Source Zone:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dest Zone:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dest Address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Trans:</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VPN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.100.10.10/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3.3.3.3/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.25.40.3/32</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">What am I missing? Do I need to add a static route for the V-Router? To get to 172.25.40.0/32 use tunnl.x?</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Please advise. Thanks. </SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead"><SPAN class="">Ben</SPAN></SPAN></P> Wed, 11 Oct 2017 17:57:30 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/181359#M56035 bshuman 2017-10-11T17:57:30Z https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/181384#M56037 <P>I assume that you are not using&nbsp;<SPAN>172.25.40.3/32&nbsp; in your network internally.</SPAN></P><P><SPAN>It means that based on routing table traffic to this IP is sent towards Untrust zone.</SPAN></P><P><SPAN>So for NAT to match it should be VPN &gt; Untrust (not Trust).</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>And you also might need second NAT rule if traffic is initiated from inside.</SPAN></P><P><SPAN>In this case it is Trust &gt; VPN.</SPAN></P><P>&nbsp;</P> Wed, 11 Oct 2017 19:04:02 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/181384#M56037 Raido_Rattameister 2017-10-11T19:04:02Z https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/183491#M56381 <P>I'll try that. Thank you.</P> Tue, 24 Oct 2017 17:35:02 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/183491#M56381 bshuman 2017-10-24T17:35:02Z https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/184018#M56474 <P>I don't have an Untrusted zone as an option. But yes the 172.25.43.1/32 is just an object to match Proxy-ID setup in a VPN tunnel. It is not a part of an internal network. I do have active security polices allowing these Inside, DMZ and Subnets between them and the VPN zone.</P><P>&nbsp;</P><P>Below is the destination NAT that doesn't work.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT-Trans-Not-Working.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12134i5753B82E4FFCDA20/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="NAT-Trans-Not-Working.PNG" alt="NAT-Trans-Not-Working.PNG" /></span></P><P>These are source NAT entries that work only when traffic is initiated from Trusted or DMZ resouces. When traffic is initiated from the VPN resource it doesn't work. Even when Bi-Directional is enabled. On most firewalls this source NAT configuration set to Bi-Directional is all that is required.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT-Trans-Working.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12135i3C1B87E26E45D498/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="NAT-Trans-Working.PNG" alt="NAT-Trans-Working.PNG" /></span></P> Thu, 26 Oct 2017 22:02:21 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-nat-via-vpn-tunnel-vpn-zone-to-trusted-zone/m-p/184018#M56474 bshuman 2017-10-26T22:02:21Z