topic Re: NAT over IPSec tunnel. in General Topics

NAT over IPSec tunnel.

DongQu — Sat, 17 Apr 2021 12:07:19 GMT

hello all

I have an IPSEC tunnel with ASA(99.1.1.23<> 123.2.4.105), the tunnel is UP but the source client is not able to access the destination server.

The proxy ID on PA side is

local: 1.1.1.1

remote: 2.2.2.2

both sides are using nat for the client/server behind the FWs

the source client IP is 10.10.10.10(NAT to 1.1.1.1) and the destination server IP is 10.10.20.10(NAT to 2.2.2.2).

can someone please advise how should I config the NAT policy and the static routing or the policy to get this setup working?

Appreciate.

Re: NAT over IPSec tunnel.

harishsidhartha — Sun, 18 Apr 2021 04:53:48 GMT

What I could understand from your question is that you want to enable a Two way NAT (NAT on both sides). Below is the configs for the first Palo Alto for Two way NAT. (Full subnet Static NAT). I have used Source based NAT on both sides with Bidirectional NAT Enabled.

10.100.100.x/24 to 1.1.1.x/24

10.200.200.x/24 to 2.2.2.x/24

set deviceconfig system hostname PA-NAT-Testing

set network interface ethernet ethernet1/1 layer3 ip 10.100.100.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Mgt-Ping-SSH-Https
set network interface ethernet ethernet1/1 comment Inside

set network interface ethernet ethernet1/2 layer3 ip 172.16.1.1/24
set network interface ethernet ethernet1/2 layer3 interface-management-profile Mgt-Ping-SSH-Https
set network interface ethernet ethernet1/2 comment Outside

set network interface tunnel units tunnel.1 ip 3.3.3.1
set network interface tunnel units tunnel.1 interface-management-profile Mgt-Ping-SSH-Https
set network interface tunnel units tunnel.1 comment NatTunnel

set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ike-crypto-profiles default hash sha1
set network ike crypto-profiles ike-crypto-profiles default dh-group group2
set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
set network ike gateway Palo2 authentication pre-shared-key key <Key>
set network ike gateway Palo2 protocol ikev1 dpd enable yes
set network ike gateway Palo2 protocol ikev2 dpd enable yes
set network ike gateway Palo2 local-address ip 172.16.1.1/24
set network ike gateway Palo2 local-address interface ethernet1/2
set network ike gateway Palo2 protocol-common nat-traversal enable no
set network ike gateway Palo2 protocol-common fragmentation enable no
set network ike gateway Palo2 peer-address ip 172.16.10.1

set network virtual-router default interface [ ethernet1/1 ethernet1/2 tunnel.1 ]
set network virtual-router default routing-table ip static-route "Route to internet" nexthop ip-address 172.16.1.2
set network virtual-router default routing-table ip static-route "Route to internet" interface ethernet1/2
set network virtual-router default routing-table ip static-route "Route to internet" metric 10
set network virtual-router default routing-table ip static-route "Route to internet" admin-dist 10
set network virtual-router default routing-table ip static-route "Route to internet" destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route "Route to internet" route-table unicast
set network virtual-router default routing-table ip static-route local-site-NAT interface tunnel.1
set network virtual-router default routing-table ip static-route local-site-NAT metric 10
set network virtual-router default routing-table ip static-route local-site-NAT destination 2.2.2.0/24
set network virtual-router default routing-table ip static-route local-site-NAT route-table unicast
set network virtual-router default routing-table ip static-route Local-site-NAT2 interface tunnel.1
set network virtual-router default routing-table ip static-route Local-site-NAT2 metric 10
set network virtual-router default routing-table ip static-route Local-site-NAT2 destination 1.1.1.0/24
set network virtual-router default routing-table ip static-route Local-site-NAT2 route-table unicast
set network virtual-router default routing-table ip static-route "route to Palo2" interface tunnel.1
set network virtual-router default routing-table ip static-route "route to Palo2" metric 10
set network virtual-router default routing-table ip static-route "route to Palo2" destination 10.170.0.0/16
set network virtual-router default routing-table ip static-route "route to Palo2" route-table unicast

set network tunnel ipsec NatTunnel auto-key ike-gateway Palo2
set network tunnel ipsec NatTunnel tunnel-monitor enable no
set network tunnel ipsec NatTunnel tunnel-interface tunnel.1

set zone Trust network layer3 ethernet1/1
set zone untrust network layer3 [ ethernet1/2 tunnel.1 ]

set rulebase security rules "Permit Any" to any
set rulebase security rules "Permit Any" from any
set rulebase security rules "Permit Any" source any
set rulebase security rules "Permit Any" destination any
set rulebase security rules "Permit Any" source-user any
set rulebase security rules "Permit Any" category any
set rulebase security rules "Permit Any" application any
set rulebase security rules "Permit Any" service any
set rulebase security rules "Permit Any" source-hip any
set rulebase security rules "Permit Any" destination-hip any
set rulebase security rules "Permit Any" action allow

set rulebase nat rules SubnetNAT source-translation static-ip translated-address 1.1.1.0/24
set rulebase nat rules SubnetNAT source-translation static-ip bi-directional yes
set rulebase nat rules SubnetNAT to untrust
set rulebase nat rules SubnetNAT from Trust
set rulebase nat rules SubnetNAT source 10.100.100.0/24
set rulebase nat rules SubnetNAT destination any
set rulebase nat rules SubnetNAT service any
set rulebase nat rules SubnetNAT to-interface tunnel.1
set import network interface [ ethernet1/1 ethernet1/2 tunnel.1 ]

Re: NAT over IPSec tunnel.

A_Astardzhiev — Mon, 19 Apr 2021 06:29:08 GMT

@DongQuin suche case wher you have complete overlapping between local and remote networks, both sides of the tunnel must apply natting. Which means:

- Each side will use the remote NAT network (users should know the IP 2.2.2.2 in order to connect to remote side)

- Each side should apply NAT for its local network

So I assume that the config on ASA side will be handled and we speaking only from your side. You will need:

- static route for remote nat network pointing to tunnel interface (in your case route for 2.2.2.2 to tunnel.1)

- NAT rule maching local network/host 10.10.10.10 from your internal zone, to vpn zone (use separate zone instead of your internet untrust/outside zone) and applying static source NAT. You can enable the bi-directional option to automatically create NAT rule when remote side needs to initiate traffic to you.

- Or if you don't use bi-directional in the source nat, you need to create additional nat rule matching source remote nat network, to your local nat network applying destination nat (src: 2.2.2.2 to 1.1.1.1, apply destination nat to 10.10.10.10)

- For the rules you need to remember that security rules are using Post-NAT zones and Pre-NAT address: This means that for the

- outbound rule you need to allow your local address to remote nat ip

- inbound rule you need to allow remote nat address to your local nat address

Re: NAT over IPSec tunnel.

DongQu — Tue, 20 Apr 2021 14:02:29 GMT

hello @A_Astardzhiev

Thanks for your reply, my current config is similar as what you suggested. but there are some different

1. static route to the remote side server IP address(the really IP, not the remote NAT IP) point to the ipsec tunnel interface

2. the outbound policy allows the internal private IP to the server IP behind the NAT address(they ask us to access the real server), from trust zone to ipsec zone ----->>>different with your suggestions

3. the inbound policy allows the remote NAT address to our side NAT address, from the ipsec zone to trust zone

4. NAT policy is from trust zone to ipsec zone, source private IP is being translated to the static public IP, bi-directional is no

5. another NAT policy is from the ipsec zone to trust zone, the remote NAT IP is being translated to the server IP mentioned in step 2 and the destination IP (our NAT address) is being translated to our side private IP.

do we need to config any static routing for our side NAT address?

the remote side confirms the can see our attempts on their server, but I cannot see any traffic come back to our PA. the ASA guy said "We are still not seeing any packets being decrypted for your VPN session:"

Re: NAT over IPSec tunnel.

DongQu — Tue, 20 Apr 2021 14:01:41 GMT

hello @harishsidhartha

Thanks for your reply.

I tried the solution and output the config, compared with yours, but it did not work.

I cannot see any traffic coming back

the ASA guy said

We are still not seeing any packets being decrypted for your VPN session:

Re: NAT over IPSec tunnel.

BPry — Tue, 20 Apr 2021 16:10:53 GMT

@DongQu,

So just to confirm, you have verified that your traffic is coming across from the PAN side to your ASA perfectly fine and the ASA can see that traffic? If that's the case, can you have the ASA simply run a packet trace and see if you see traffic come across the tunnel. The folks running the ASA should be able to easily see where it's running into issues since it appears to be an issue with ASA->PAN traffic and not PAN->ASA.

Re: NAT over IPSec tunnel.

DongQu — Fri, 23 Apr 2021 03:04:51 GMT

Hello @A_Astardzhiev

for

"Or if you don't use bi-directional in the source nat, you need to create additional nat rule matching source remote nat network, to your local nat network applying destination nat (src: 2.2.2.2 to 1.1.1.1, apply destination nat to 10.10.10.10)"

should it be from the ipsec zone to internal zone?

Re: NAT over IPSec tunnel.

A_Astardzhiev — Fri, 23 Apr 2021 13:50:40 GMT

Hi @DongQu ,

This is a bit tricky. You see PAN first determine the destination zone and then evaluates NAT. For this reason for the NAT rule you need to use pre-NAT zones. Which means that for the destination zone you need to use the zone, which correspond with the network before the nat...I know it may sound confusing (even worst with my bad english) but take simpler example:

Imagine you want to do destination NAT so Internet users to reach your internal server. In this case you will create NAT rule like:

- source zone: unstrust/public

- source IP: any

- destination ip :50.50.50.50 (your public server ip)

- destination zone: untrust/public

- translated destination 10.10.10.10 (your private server ip)

You may notice that destination zone is not your internal (as you expect, because the server is in the internal zone), but it is again untrust. That is bacause 50.50.50.50 is not in your routing table and the FW is following the default route, deciding that 50.50.50.50 is related to untrust zone.

In your case you need to configure destination NAT, but not from public, but from the vpn tunnel. Which means your NAT will look like this:

- source zone: vpn-tunnel

- source ip: remote networks

- destination zone: this is the trickypart

- destination ip: local NAT network

- translated destination: local original network

And here come the tricky part: Your firewall will perform route lookup for the "local NAT network" to see which zone it is related. If it doesn't match any specific route it will match your default, therefor fw will think the destination zone is your untrust. So at the end your nat should use destination zone untrust (or what ever zone match the route for nat network)

This could be a bit misleading for someone else that is looking at the config after some time. For that reason in @harishsidhartha example configuration you will see static route for the local NAT network pointing to the tunnel. The only purpose of this route is to tell the FW to associate this NAT network with vpn-tunnel zone. That way when you configure your NAT rule you need to use source and destination zone = vpn-tunnel

Another approach would be to leave the destination zone to any. Select souce zone and ip, and destination ip, but this will be equivelent to just enabling bi-directional option in the source nat rule (from local to remote). Even that you use destination zone any you don't have to worrie if different traffic match this rule, because you have still specified source zone and destination ip. And because there is no way similar traffic to be received from any other interface or tunnel, you can be sure that only traffic from that tunnel will be nat-ed

Re: NAT over IPSec tunnel.

harishsidhartha — Mon, 26 Apr 2021 02:25:10 GMT

Hi @DongQu ,

As @A_Astardzhiev rightly mentioned, you need to add static routes as follows.

1) 1.1.1.0/24 via tunnel1

2) 2.2.2.0/24 via tunnel1

3) 0.0.0.0/0 via <Outside interface>

(you need to provide the static route for both 1.1.1.0 and 2.2.2.0 to tunnel 0. else it will not work)

The configuration I provided works fine in my lab.

Regards,

Harish Sidhartha