08-18-2023 11:48 AM
Hi everyone,
I need to do some source/destination NATs on my PA440 for anew ipsec tunnel. I have never had to configure a NAT until now. I have been watching some videos and I understand the basic concept of NAT and why it is needed. My question is, all of the videos I have watched are referencing the outside zone. For my ipsec tunnels, I am using a zone called l2vpn. Would the only difference for my NAT rules be that I reference my l2vpn zone instead of the outside zone?
08-22-2023 07:27 AM
Correct, for what you're doing you'd use the post NAT information for proxy IDs. The only time that you wouldn't would be if the tunnel isn't going to see the NAT address. As an example; if you were funneling traffic back to headquarters to route out to the internet or some other restricted resource, you would still use the pre NAT addresses because the tunnel itself wouldn't see the NAT at all.
08-18-2023 10:33 PM - edited 08-18-2023 10:34 PM
If you NAT outgoing traffic then source zone is INSIDE and destination zone is OUTSIDE.
If you NAT incoming traffic then source zone is OUTSIDE and destination zone is OUTSIDE.
If you NAT traffic where sessions are initiated from your side towards tunnel then source zone is INSIDE and destination zone is L2VPN.
If you NAT traffic where sessions are initiated from other side of the tunnel towards you then source zone is L2VPN and destination zone is INSIDE (in most cases unless you change destination IP. In this case you might need destination zone to be OUTSIDE if pre-nat IP is not in your routing table).
08-21-2023 08:36 AM
Will I also need Proxy IDs for the NAT ip addresses?
08-21-2023 09:32 AM
Depends on what you're trying to accomplish and whether or not the peer will actually see that NAT addresses or not.
08-21-2023 09:39 AM
Hi BP,
My goal is an IPsec vpn tunnel with a vendor. They want me to nat some of the hosts on my side due to network overlap. I am new to Palo and do not do networking everyday so I am trying to muddle my way through this. Here is my thinking and why I posed the question about the proxy IDs- I have already built proxy IDs for the non natted traffic. Some of the hosts will be natted and some won't. My thought is, if I have proxy IDs created for my hosts for the source ip on my side, then i do not need an additional proxy id for the relevant NAT addresses of either side since the address will be translated before the traffic is sent to my host or sent from my host. But I am no expert on NAT, hence the reason I asked. Thanks for your help.
08-21-2023 10:22 AM
BP,
I just found this:
When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information, because the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.
I think that answers my question.
08-22-2023 07:27 AM
Correct, for what you're doing you'd use the post NAT information for proxy IDs. The only time that you wouldn't would be if the tunnel isn't going to see the NAT address. As an example; if you were funneling traffic back to headquarters to route out to the internet or some other restricted resource, you would still use the pre NAT addresses because the tunnel itself wouldn't see the NAT at all.
08-24-2023 11:15 PM
Hello,
You're correct in understanding the basics of NAT. While most videos refer to the "outside" zone, in your case with the "l2vpn" zone for IPSec tunnels, the principle remains the same. Instead of the "outside" zone, use the "l2vpn" zone in your NAT rules. Ensure your security policies align, allowing traffic between the relevant source and destination zones. This way, the NAT translations occur correctly before traffic goes through the IPSec tunnel. Always refer to your device's official documentation or support resources for guidance.
Best of luck with your PA-440 NAT configuration for the IPSec tunnel!
I hope this will help you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
