Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with NAT Configuration on PA-440 In Conjunction With IPSec Tunnel

L2 Linker

Hi everyone,

I need to do some source/destination NATs on my PA440 for anew ipsec tunnel. I have never had to configure a NAT until now. I have been watching some videos and I understand the basic concept of NAT and why it is needed. My question is, all of the videos I have watched are referencing the outside zone. For my ipsec tunnels, I am using a zone called l2vpn. Would the only difference for my NAT rules be that I reference my l2vpn zone instead of the outside zone?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@JTDMHSUPPORT,

Correct, for what you're doing you'd use the post NAT information for proxy IDs. The only time that you wouldn't would be if the tunnel isn't going to see the NAT address. As an example; if you were funneling traffic back to headquarters to route out to the internet or some other restricted resource, you would still use the pre NAT addresses because the tunnel itself wouldn't see the NAT at all. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

If you NAT outgoing traffic then source zone is INSIDE and destination zone is OUTSIDE.

If you NAT incoming traffic then source zone is OUTSIDE and destination zone is OUTSIDE.

 

If you NAT traffic where sessions are initiated from your side towards tunnel then source zone is INSIDE and destination zone is L2VPN.

If you NAT traffic where sessions are initiated from other side of the tunnel towards you then source zone is L2VPN and destination zone is INSIDE (in most cases unless you change destination IP. In this case you might need destination zone to be OUTSIDE if pre-nat IP is not in your routing table).

 

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Will I also need Proxy IDs for the NAT ip addresses?

Cyber Elite
Cyber Elite

@JTDMHSUPPORT,

Depends on what you're trying to accomplish and whether or not the peer will actually see that NAT addresses or not. 

Hi BP,

My goal is an IPsec vpn tunnel with a vendor. They want me to nat some of the hosts on my side due to network overlap. I am new to Palo and do not do networking everyday so I am trying to muddle my way through this. Here is my thinking and why I posed the question about the proxy IDs- I have already built proxy IDs for the non natted traffic. Some of the hosts will be natted and some won't. My thought is, if I have proxy IDs created for my hosts for the source ip on my side, then i do not need an additional proxy id for the relevant NAT addresses of either side since the address will be translated before the traffic is sent to my host or sent from my host. But I am no expert on NAT, hence the reason I asked. Thanks for your help.

BP,

I just found this:

When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information, because the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

I think that answers my question.

Cyber Elite
Cyber Elite

@JTDMHSUPPORT,

Correct, for what you're doing you'd use the post NAT information for proxy IDs. The only time that you wouldn't would be if the tunnel isn't going to see the NAT address. As an example; if you were funneling traffic back to headquarters to route out to the internet or some other restricted resource, you would still use the pre NAT addresses because the tunnel itself wouldn't see the NAT at all. 

L1 Bithead

Hello,

You're correct in understanding the basics of NAT. While most videos refer to the "outside" zone, in your case with the "l2vpn" zone for IPSec tunnels, the principle remains the same. Instead of the "outside" zone, use the "l2vpn" zone in your NAT rules. Ensure your security policies align, allowing traffic between the relevant source and destination zones. This way, the NAT translations occur correctly before traffic goes through the IPSec tunnel. Always refer to your device's official documentation or support resources for guidance.

Best of luck with your PA-440 NAT configuration for the IPSec tunnel!

 

I hope this will help you!

(Splunk Training)

Regards
Mia Smith
  • 1 accepted solution
  • 2221 Views
  • 7 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!