topic NAT configuration for interface Tunnel in General Topics

NAT configuration for interface Tunnel

a.jones — Fri, 04 Oct 2019 13:55:59 GMT

Hi All,

I'm in the middle of migrating a series of PAs from one customer to another. The newer system is on version 8.1.10, the other is on 8.0.14.

I have configured the VPNs each with a seperate tunnel, pretty standard stuff. I am creating some specific NAT rules for a couple of the tunnels and hit a brick wall... the tunnels have a local IP and peer address. When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none but it fails the commit config stating the address is missing. The drop down box has no addresses, just none. In the old config it is configured with no IP address for the nat.

Any ideas?

Regards

Adrian

Re: NAT configuration for interface Tunnel

VinceM — Fri, 04 Oct 2019 14:52:01 GMT

Don't really understand why you need source Nat in your tunnel but doesn't matter.

If you want to source nat traffic in your vpn tunnel, either you select nat based on interface, select tunnel int then you tunnel IP or you select translated Address and you give the IP you want. Of course, configure your nat as dynamic IP and Port.

Rgds

Re: NAT configuration for interface Tunnel

aleksandar.astardzhiev — Fri, 04 Oct 2019 15:10:03 GMT

Hi @a.jones ,

It sounds that you are mistaken tunnel interface with IPsec tunnel source interface.

- " the tunnels have a local IP and peer address." - local IP and peer address are the public address of your gateway and the remote device that will be used for building the IPsec tunnel. In addition Palo Alto is using route-based VPN implementation. Which means that if you want to send traffic through the tunnel you need to have a route in the routing table pointing to that tunnel. Since the "tunnel" is logical (it doesn't exists physically) you need a logical (virtual) interface that is bound to that tunnel.

- "When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none" - It sounds that you have bound your IPsec tunnel with tunnel interface that has no IP configured. While a tunnel interface can be configured without IP address, such source NAT rule is not valid. If you think about it you said to your FW - for source nat use the address for this interface which doesn't have ip assigned...

The two solutions would be:

- Configure your Source NAT DIPP rule with "Translated address" instead of "Interface address" and define the address you want to use for the hide nat

- Assign an IP address on the tunnel interface that is bound to your IPsec tunnel. After that you should be able to use it in source nat rule

I don't believe there is any difference between the two. Most important in both cases is that your proxy-id should use the NAT address as local. And at the same time the remote side of the tunnel should use the NAT address as remote proxy-id

Re: NAT configuration for interface Tunnel

a.jones — Mon, 14 Oct 2019 14:57:00 GMT

Thanks all.

Although it seems a stupid question, I am migrating the current setup and then end customer wants it identical which is a problem, hence asking the question.

Unfortunately this is not the best or easiest migration in the world. The customer cannot provide access to the firewall, they have limited access to the firewall as it's managed by a 3rd party and that 3rd party is being a pain in the proverbial as they lost the contract.

I'm reviewing the setup to try and improve.

Regards

Adrian