Destination NAT of ESP and GRE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Destination NAT of ESP and GRE

L4 Transporter

Hi all,

I'm hoping somebody might be able to help with this unusual scenario please?

I have been tasked with replacing an old linux based firewall with a PA-500 device.

Initially the configuration of the PA-500 should just replicate what the current firewall is doing before we start phasing in the additional security capabilities of the Palo.

The only thing I am concerned about is the way that ESP and GRE connections are NATed on the linux firewall.

The protocols and ports associated with PPTP/L2TP will hit the Palo on its external interface and need to be destination NATed to a VPN server on an internal network.

I cannot see any way to specifically NAT ESP or GRE on the Palo but I suspect leaving the service as "any" in my NAT rule might achieve this?

An additional complication though is that other ports on the external interface of the Palo need to be destination NATed to other internal devices.  If I put these port specific NAT rules above my "any" rule would the destination NAT of GRE/ESP still be performed please?

Any help or guidance would be greatly appreciated!

Many thanks,

Dave

1 accepted solution

Accepted Solutions

L4 Transporter

Thank you both for your replies!

Since writing the post I have managed to test with PPTP / GRE in the lab and it worked exactly as you have confirmed.

I am hoping that ESP will work in the same way but I've not got an suitable L2TP server to test with. 

Thanks again,

Dave

View solution in original post

3 REPLIES 3

L1 Bithead

Hi Dave,

When there is a nat device in between two VPN end point devices, concept of ‘nat-traversal’ will come into picture and the outer header will be changed to UDP 4500. ESP will be encapsulated within the UDP 4500 header and if you take a packet capture all that you see will be UDP 4500 packets. In other words for your scenario you would have to configure static bidirectional NAT for UDP 4500 and not ESP to translate IPSEC VPN device ip address.

Hope this helps.

Meera

L6 Presenter

I had the similar scenario with one migration.

Yes, you can NAT GRE with a NAT rule which has 'any' for service.

And yes, if you put other port translations above this rule you can use different destination addresses for other services and still have GRE DNAT-ed to desired server in the end.

I didn't do it for ESP yet. In such case I guess NAT traversal is better solution.

L4 Transporter

Thank you both for your replies!

Since writing the post I have managed to test with PPTP / GRE in the lab and it worked exactly as you have confirmed.

I am hoping that ESP will work in the same way but I've not got an suitable L2TP server to test with. 

Thanks again,

Dave

  • 1 accepted solution
  • 5360 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!