topic Bi-Directional NAT To External IP not Configured on an Interface in General Topics https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-to-external-ip-not-configured-on-an-interface/m-p/420551#M93886 <P>Hey All,</P><P>Working on a PA-220 on 10.0.6 here. I am trying to configure a BI-DI NAT for inside Zone A host 10.0.0.4 to Zone B public IP:&nbsp;5.183.105.227. This traffic is to allow a vendor to build an IPSec VPN tunnel between their VPN appliance configured as 10.0.0.4 to their remote peer VPN of <SPAN>99.169.208.245</SPAN>.</P><P>&nbsp;</P><P>Zone A = Inside (Interface 1/6: 10.0.0.1/24)</P><P>Zone B = Internet (Interface 1/1&nbsp;5.183.105.229/29)</P><P>&nbsp;</P><P>NAT is setup as:</P><P>Source Zone: A ---&gt; Destination Zone: B, Destination Interface 1/1</P><P>Source Address: 10.0.0.4</P><P>Service Any</P><P>Source Translation: Static-IP&nbsp;5.183.105.227</P><P>Bi-Di = Yes</P><P>Destination translation = Unconfigured.</P><P>&nbsp;</P><P>I have unrestricted security rules to allow traffic from Zone A to Zone B and from Zone B to Zone A.</P><P>&nbsp;</P><P>What I have been able to conclude when I look at the packet captures for this traffic is that there is never a transmit capture created but I do see in the Drop capture where 10.0.0.4 is attempting to communicate with&nbsp;<SPAN>99.169.208.245 via ISAKMP 500 but it is dropped before getting routed.&nbsp;</SPAN></P><P>&nbsp;</P><P>Since the IP (5.183.105.227) that i am trying to source NAT to is not configured on any interface, is there some sort of trickery to make it work with a PA?</P><P>&nbsp;</P><P>I cannot get this to work and spent 3 hours on the phone with PA support to no avail.</P> Tue, 20 Jul 2021 06:10:03 GMT JoeJackson 2021-07-20T06:10:03Z Bi-Directional NAT To External IP not Configured on an Interface https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-to-external-ip-not-configured-on-an-interface/m-p/420551#M93886 <P>Hey All,</P><P>Working on a PA-220 on 10.0.6 here. I am trying to configure a BI-DI NAT for inside Zone A host 10.0.0.4 to Zone B public IP:&nbsp;5.183.105.227. This traffic is to allow a vendor to build an IPSec VPN tunnel between their VPN appliance configured as 10.0.0.4 to their remote peer VPN of <SPAN>99.169.208.245</SPAN>.</P><P>&nbsp;</P><P>Zone A = Inside (Interface 1/6: 10.0.0.1/24)</P><P>Zone B = Internet (Interface 1/1&nbsp;5.183.105.229/29)</P><P>&nbsp;</P><P>NAT is setup as:</P><P>Source Zone: A ---&gt; Destination Zone: B, Destination Interface 1/1</P><P>Source Address: 10.0.0.4</P><P>Service Any</P><P>Source Translation: Static-IP&nbsp;5.183.105.227</P><P>Bi-Di = Yes</P><P>Destination translation = Unconfigured.</P><P>&nbsp;</P><P>I have unrestricted security rules to allow traffic from Zone A to Zone B and from Zone B to Zone A.</P><P>&nbsp;</P><P>What I have been able to conclude when I look at the packet captures for this traffic is that there is never a transmit capture created but I do see in the Drop capture where 10.0.0.4 is attempting to communicate with&nbsp;<SPAN>99.169.208.245 via ISAKMP 500 but it is dropped before getting routed.&nbsp;</SPAN></P><P>&nbsp;</P><P>Since the IP (5.183.105.227) that i am trying to source NAT to is not configured on any interface, is there some sort of trickery to make it work with a PA?</P><P>&nbsp;</P><P>I cannot get this to work and spent 3 hours on the phone with PA support to no avail.</P> Tue, 20 Jul 2021 06:10:03 GMT https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-to-external-ip-not-configured-on-an-interface/m-p/420551#M93886 JoeJackson 2021-07-20T06:10:03Z Re: Bi-Directional NAT To External IP not Configured on an Interface https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-to-external-ip-not-configured-on-an-interface/m-p/420877#M93906 <P>Hello,</P><P>Not sure on their VPN technology, however when I had to setup a tunnel between two PAN's where one was on the inside and already NAT'd. I had to use Peer Identifiers. So on the non-nated PAN, for the IKE tunnel, I had to use the Peer Identification option.&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ike-gateway" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ike-gateway</A></P><P>&nbsp;</P><P>Hope that helps.</P> Tue, 20 Jul 2021 20:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-to-external-ip-not-configured-on-an-interface/m-p/420877#M93906 OtakarKlier 2021-07-20T20:49:03Z