Destination NAT of ESP and GRE

Reply
L4 Transporter

Destination NAT of ESP and GRE

Hi all,

I'm hoping somebody might be able to help with this unusual scenario please?

I have been tasked with replacing an old linux based firewall with a PA-500 device.

Initially the configuration of the PA-500 should just replicate what the current firewall is doing before we start phasing in the additional security capabilities of the Palo.

The only thing I am concerned about is the way that ESP and GRE connections are NATed on the linux firewall.

The protocols and ports associated with PPTP/L2TP will hit the Palo on its external interface and need to be destination NATed to a VPN server on an internal network.

I cannot see any way to specifically NAT ESP or GRE on the Palo but I suspect leaving the service as "any" in my NAT rule might achieve this?

An additional complication though is that other ports on the external interface of the Palo need to be destination NATed to other internal devices.  If I put these port specific NAT rules above my "any" rule would the destination NAT of GRE/ESP still be performed please?

Any help or guidance would be greatly appreciated!

Many thanks,

Dave


Accepted Solutions
Highlighted
L4 Transporter

Re: Destination NAT of ESP and GRE

Thank you both for your replies!

Since writing the post I have managed to test with PPTP / GRE in the lab and it worked exactly as you have confirmed.

I am hoping that ESP will work in the same way but I've not got an suitable L2TP server to test with. 

Thanks again,

Dave

View solution in original post


All Replies
Highlighted
L1 Bithead

Re: Destination NAT of ESP and GRE

Hi Dave,

When there is a nat device in between two VPN end point devices, concept of ‘nat-traversal’ will come into picture and the outer header will be changed to UDP 4500. ESP will be encapsulated within the UDP 4500 header and if you take a packet capture all that you see will be UDP 4500 packets. In other words for your scenario you would have to configure static bidirectional NAT for UDP 4500 and not ESP to translate IPSEC VPN device ip address.

Hope this helps.

Meera

Highlighted
L5 Sessionator

Re: Destination NAT of ESP and GRE

I had the similar scenario with one migration.

Yes, you can NAT GRE with a NAT rule which has 'any' for service.

And yes, if you put other port translations above this rule you can use different destination addresses for other services and still have GRE DNAT-ed to desired server in the end.

I didn't do it for ESP yet. In such case I guess NAT traversal is better solution.

Highlighted
L4 Transporter

Re: Destination NAT of ESP and GRE

Thank you both for your replies!

Since writing the post I have managed to test with PPTP / GRE in the lab and it worked exactly as you have confirmed.

I am hoping that ESP will work in the same way but I've not got an suitable L2TP server to test with. 

Thanks again,

Dave

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!