topic VPN Site-to-Site Private IP and Public IP in General Topics

VPN Site-to-Site Private IP and Public IP

Metgatz — Wed, 04 Aug 2021 18:37:03 GMT

VPN Site-to-Site Private IP and Public IP

Good afternoon everyone, is it possible to set up a Site-to-Site VPN between a site with a Palo Alto Private IP and a Palo Alto Public IP.

Site Privado: PaloAlto---IpWan-192.168.1.254---Router/Modem--------Internet-------Site Publico:IPWan:190.100.100.200

Thank you very much for your help and support, I remain attentive.

Best regards

Re: VPN Site-to-Site Private IP and Public IP

OtakarKlier — Wed, 04 Aug 2021 19:58:20 GMT

Hello,

Yes it is! On the PAN with the private IP address make sure to give it a Local IP Address in the IKE Gateway setting.

Then on the other PAN point the IKE gateway at the public IP address however in the Ike Gateway, put in the Peer Address:

Hope that helps.

Re: VPN Site-to-Site Private IP and Public IP

Metgatz — Wed, 04 Aug 2021 21:16:03 GMT

@OtakarKlier

Good afternoon, thank you for your reply.

On the private IP side, I don't need to do any NAT or Port-Forwarding ?
That configuration would be enough ?

I remain attentive, thank you very much

Re: VPN Site-to-Site Private IP and Public IP

zlling — Mon, 06 Nov 2023 13:40:19 GMT

Hi, any details setting for the ike gateway for both site?

I need create port forward at the site using internal ip as wan ip (udp500,udp4500) on my ISP router?

Re: VPN Site-to-Site Private IP and Public IP

OtakarKlier — Tue, 07 Nov 2023 16:48:47 GMT

Hello,

For your ISP router, dont have it filter anything. Leave it wide open and let the Palo Alto handle the traffic.

Just my thoughts.

Regards,

Re: VPN Site-to-Site Private IP and Public IP

OtakarKlier — Tue, 07 Nov 2023 16:49:52 GMT

Hello @Metgatz

Apologies for the late response. For the VPN tunnel, no. If the traffic is going out the internet, then internal to external traffic will need attention.

Regards,

Re: VPN Site-to-Site Private IP and Public IP

Metgatz — Wed, 08 Nov 2023 01:03:00 GMT

Hello @OtakarKlier thank you for your reply and collaboration.

I understand that it is feasible, I have not had to do it, but I understand that it is possible to do the following.

Scenario:

-Palo Alto Firewall Static Public IP directly connected to PA Interface.

-Firewall fortigate behind traditional Modem/Route/OTN almost domiciliary with Dynamica public IP but with private IP in

its WAN interface of the fortigate.

I.e.:

PaloAlto-Untrust-Interface-Static dedicated Public IP=======Internet=====VPN-Site-to-Site=============Dynamic-IP-traditional-Internet-Modem-ISP=====NAT===Private WAN IP Fortigate.

I can set up a Site to Site VPN tunnel between a Palo Alto FW with dedicated static public IP coming directly to the AP against a Fortigate firewall behind a traditional ISP modem/router/nat.

Is it feasible to realize this IPSEC tunnel, that is stable, operates correctly ?

What aspects, configurations, settings, etc. should I consider when making this configuration?

Thanks as always for the collaboration, good vibes and for all the advice and your time in answering.

Greetings and very attentive to your comments.

Re: VPN Site-to-Site Private IP and Public IP

OtakarKlier — Mon, 13 Nov 2023 15:22:59 GMT

Hello,

I not know the Fortigate devices well but on the Palo Alto you will setup the following:

Network > Network Profiles > IKE Gateways > General

Peer IP Address = the public IP address on the other side (Fortigate side of hte ISP moden doing the NAT)
Peer Identification = the Private NAT'ed IP of the Fortigate device.

Hope this helps.

Regards,