05-24-2020 06:43 PM
We need to build the new IPSEC tunnel with the vendor.
Our side
PA Public IP say 200.23.23.x for IPEC tunnel
Our Lan
1>>10.0.0.0/8
2>>172.16.0.0/16
Vendor Juniper Public IP 104.156.166.x
Users on our side need to access the vendor network IP
1>>100.65.5.x
2>>100.66.25.0/24
Vendor told us they do not want to allow our Private IP address inside the Tunnel
So they told us for our private network like 10.0.0.0/8 and 172.16.x.x we can
NAT that to their Public IP 100.67.25.25 in our firewall
1>So need to know on our side of PA i need to configure the NAT rule saying any traffic coming from our zone say corp with IP 10.0.0.0/8 or 172.16.x.x
going to Tunnel interface say tunnel.5 get natted to 100.67.25.25?
When I put Vendor Public IP for source NAT will this work as PA does know about this IP?
For this i need to create source NAT with bidirectional enabled right?
2>Also on our PA side do i need to enable NAT traversal?
Normally we do this when middle device in IPSEC tunnel is doing the NAT?
05-24-2020 10:19 PM
Apologies, i took it in wrong way! NAT-T is not required in your case.
Yes Proxy-ID will come into picture so you need to configure it in your case. Under Proxy IDs Local subnet/Network, you need to mention S-NAT public IP. This is because PA supports only Route-Based VPN and if you have peer which has Policy-based VPN, you need to configure Proxy-IDs.
Mayur
05-24-2020 09:40 PM
@MP18 ,
Is it tunnel bidirectional? If tunnel is bidirectional means both ends will be initiator and responder then only you need to put static bidirectional NAT. Otherwise Normal Source NaT is sufficient. As per the given details, vendor side have given only one public IP to NAT your side subnets so it is unidirectional tunnel and you need to put dynamic SNAT.
In Proxy ID, you will configure S-NAT public IP as a local network/host. Also you should have proper routes configured. Yes, you need to enable NAT-T.
Hope it helps!
Mayur
05-24-2020 09:47 PM
Hi Mayur,
Tunnel is unidirectional.
As traffic is initiated from out side.
Also i Read if PA does not own the IP here Public IP of vendor as we are using that IP for Source NAtting then proxy arp will come into play?
Are you sure NAT T is needed?
As our PA is doing NAT then vendor will do on their end.
No device in between
05-24-2020 10:19 PM
Apologies, i took it in wrong way! NAT-T is not required in your case.
Yes Proxy-ID will come into picture so you need to configure it in your case. Under Proxy IDs Local subnet/Network, you need to mention S-NAT public IP. This is because PA supports only Route-Based VPN and if you have peer which has Policy-based VPN, you need to configure Proxy-IDs.
Mayur
05-27-2020 10:16 AM
Seems for Natting we used dynamic NAT as our source was 10.0.0/8 and for source address translation we used /27 Public IP.
All went well.
Thanks for your help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
