https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/330138#M83724 <P>Seems for Natting we&nbsp; used dynamic NAT as our source was 10.0.0/8 and for source address translation we used /27 Public IP.</P><P>All went well.</P><P>&nbsp;</P><P>Thanks for your help</P> Wed, 27 May 2020 17:16:49 GMT MP18 2020-05-27T17:16:49Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329689#M83677 <P><SPAN>We need to build the new IPSEC tunnel with the vendor.</SPAN><BR /><BR /><SPAN>Our side</SPAN><BR /><BR /><SPAN>PA Public IP say 200.23.23.x&nbsp; for IPEC tunnel</SPAN><BR /><SPAN>Our Lan </SPAN></P><P><SPAN>1&gt;&gt;10.0.0.0/8&nbsp;</SPAN></P><P><SPAN>2&gt;&gt;172.16.0.0/16</SPAN><BR /><BR /><SPAN>Vendor Juniper Public IP 104.156.166.x</SPAN></P><P>&nbsp;</P><P><SPAN>Users on our side need to access the vendor network IP<BR />1&gt;&gt;</SPAN><SPAN>100.65.5.x </SPAN></P><P><SPAN>2&gt;&gt;100.66.25.0/24<BR /><BR />Vendor told us they do not want to allow our Private IP address inside the Tunnel<BR />So they told us for our private network like 10.0.0.0/8 and 172.16.x.x we can<BR />NAT that to their Public IP 100.67.25.25 in our firewall<BR /><BR />1&gt;So need to know on our side of PA i need to configure the NAT rule saying any traffic coming from our zone say corp with IP 10.0.0.0/8 or 172.16.x.x<BR />going to Tunnel interface say tunnel.5 get natted to 100.67.25.25?<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>When I put Vendor Public IP for source NAT will this work as PA does know about this IP?<BR />For this i need to create source NAT with bidirectional enabled right?<BR />2&gt;Also on our PA side do i need to enable NAT traversal?<BR />Normally we do this when middle device in IPSEC tunnel is doing the NAT?<BR /><BR /><BR /></SPAN></P> Mon, 25 May 2020 01:43:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329689#M83677 MP18 2020-05-25T01:43:21Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329695#M83678 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;,</P><P>&nbsp;</P><P>Is it tunnel bidirectional? If tunnel is bidirectional means both ends will be initiator and responder then only you need to put static bidirectional NAT. Otherwise Normal Source NaT is sufficient. As per the given details, vendor side have given only one public IP to NAT your side subnets so it is unidirectional tunnel and you need to put dynamic SNAT.</P><P>&nbsp;</P><P>In Proxy ID, you will configure S-NAT public IP as a local network/host. Also you should have proper routes configured. Yes, you need to enable NAT-T.</P><P>&nbsp;</P><P>&nbsp;</P><P>Hope it helps!</P><P>Mayur</P> Mon, 25 May 2020 04:40:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329695#M83678 SutareMayur 2020-05-25T04:40:41Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329698#M83679 <P>Hi Mayur,</P><P>&nbsp;</P><P>Tunnel is unidirectional.</P><P>As traffic is initiated from out side.</P><P>&nbsp;</P><P>Also i Read if PA does not own the IP here Public IP of vendor as we are using that IP for Source NAtting then proxy arp will come into play?</P><P>&nbsp;</P><P>Are you sure NAT T is needed?</P><P>As our PA is doing NAT then vendor will do on their end.</P><P>No device in between</P><P>&nbsp;</P> Mon, 25 May 2020 04:47:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329698#M83679 MP18 2020-05-25T04:47:48Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329702#M83680 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>&nbsp;</P><P><STRONG>Apologies, i took it in wrong way! NAT-T is not required in your case.</STRONG></P><P>&nbsp;</P><P>Yes Proxy-ID will come into picture so you need to configure it in your case.&nbsp; Under Proxy IDs Local subnet/Network, you need to mention S-NAT public IP. This is because PA supports only Route-Based VPN and if you have peer which has Policy-based VPN, you need to configure Proxy-IDs.</P><P>&nbsp;</P><P>Mayur</P> Mon, 25 May 2020 05:19:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/329702#M83680 SutareMayur 2020-05-25T05:19:24Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/330138#M83724 <P>Seems for Natting we&nbsp; used dynamic NAT as our source was 10.0.0/8 and for source address translation we used /27 Public IP.</P><P>All went well.</P><P>&nbsp;</P><P>Thanks for your help</P> Wed, 27 May 2020 17:16:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-with-vendor-and-using-vendor-public-ip-for-source/m-p/330138#M83724 MP18 2020-05-27T17:16:49Z