IPSEC tunnel with vendor and using Vendor Public IP for Source Natting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSEC tunnel with vendor and using Vendor Public IP for Source Natting

Cyber Elite
Cyber Elite

We need to build the new IPSEC tunnel with the vendor.

Our side

PA Public IP say 200.23.23.x  for IPEC tunnel
Our Lan

1>>10.0.0.0/8 

2>>172.16.0.0/16

Vendor Juniper Public IP 104.156.166.x

 

Users on our side need to access the vendor network IP
1>>
100.65.5.x

2>>100.66.25.0/24

Vendor told us they do not want to allow our Private IP address inside the Tunnel
So they told us for our private network like 10.0.0.0/8 and 172.16.x.x we can
NAT that to their Public IP 100.67.25.25 in our firewall

1>So need to know on our side of PA i need to configure the NAT rule saying any traffic coming from our zone say corp with IP 10.0.0.0/8 or 172.16.x.x
going to Tunnel interface say tunnel.5 get natted to 100.67.25.25?

 

When I put Vendor Public IP for source NAT will this work as PA does know about this IP?
For this i need to create source NAT with bidirectional enabled right?
2>Also on our PA side do i need to enable NAT traversal?
Normally we do this when middle device in IPSEC tunnel is doing the NAT?


MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

@MP18,

 

Apologies, i took it in wrong way! NAT-T is not required in your case.

 

Yes Proxy-ID will come into picture so you need to configure it in your case.  Under Proxy IDs Local subnet/Network, you need to mention S-NAT public IP. This is because PA supports only Route-Based VPN and if you have peer which has Policy-based VPN, you need to configure Proxy-IDs.

 

Mayur

M

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@MP18 ,

 

Is it tunnel bidirectional? If tunnel is bidirectional means both ends will be initiator and responder then only you need to put static bidirectional NAT. Otherwise Normal Source NaT is sufficient. As per the given details, vendor side have given only one public IP to NAT your side subnets so it is unidirectional tunnel and you need to put dynamic SNAT.

 

In Proxy ID, you will configure S-NAT public IP as a local network/host. Also you should have proper routes configured. Yes, you need to enable NAT-T.

 

 

Hope it helps!

Mayur

M

Hi Mayur,

 

Tunnel is unidirectional.

As traffic is initiated from out side.

 

Also i Read if PA does not own the IP here Public IP of vendor as we are using that IP for Source NAtting then proxy arp will come into play?

 

Are you sure NAT T is needed?

As our PA is doing NAT then vendor will do on their end.

No device in between

 

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

 

Apologies, i took it in wrong way! NAT-T is not required in your case.

 

Yes Proxy-ID will come into picture so you need to configure it in your case.  Under Proxy IDs Local subnet/Network, you need to mention S-NAT public IP. This is because PA supports only Route-Based VPN and if you have peer which has Policy-based VPN, you need to configure Proxy-IDs.

 

Mayur

M

Seems for Natting we  used dynamic NAT as our source was 10.0.0/8 and for source address translation we used /27 Public IP.

All went well.

 

Thanks for your help

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5209 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!