Working on a PA-220 on 10.0.6 here. I am trying to configure a BI-DI NAT for inside Zone A host 10.0.0.4 to Zone B public IP: 188.8.131.52. This traffic is to allow a vendor to build an IPSec VPN tunnel between their VPN appliance configured as 10.0.0.4 to their remote peer VPN of 184.108.40.206.
Zone A = Inside (Interface 1/6: 10.0.0.1/24)
Zone B = Internet (Interface 1/1 220.127.116.11/29)
NAT is setup as:
Source Zone: A ---> Destination Zone: B, Destination Interface 1/1
Source Address: 10.0.0.4
Source Translation: Static-IP 18.104.22.168
Bi-Di = Yes
Destination translation = Unconfigured.
I have unrestricted security rules to allow traffic from Zone A to Zone B and from Zone B to Zone A.
What I have been able to conclude when I look at the packet captures for this traffic is that there is never a transmit capture created but I do see in the Drop capture where 10.0.0.4 is attempting to communicate with 22.214.171.124 via ISAKMP 500 but it is dropped before getting routed.
Since the IP (126.96.36.199) that i am trying to source NAT to is not configured on any interface, is there some sort of trickery to make it work with a PA?
I cannot get this to work and spent 3 hours on the phone with PA support to no avail.
Not sure on their VPN technology, however when I had to setup a tunnel between two PAN's where one was on the inside and already NAT'd. I had to use Peer Identifiers. So on the non-nated PAN, for the IKE tunnel, I had to use the Peer Identification option.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!