NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

L1 Bithead

Hello,

I am trying to have a Cisco router establishing an IP SEC Tunnel behind a pao alto firewal configured in L3 Mode.

The tunnel should be established on a secondary address on a sub interface

Eth 1 Public, Two Sub interface 1.666 and 1.667

eth1.666 address is x.y.z.131/25

and need the tunnel on x.y.z.132 then I do NAT 1-1 rule with option bidirectionnal  The source of the tunnel is 10.35.3.253 on eth2.500

The IKE exchange begin but stop in the middle.

If I use  x.y.z.131 no problem, it works.

But I need the 131 address for other things.

What should I do for the NAt 1-1 to accept the secondary address ?

Jean-Luc

1 accepted solution

Accepted Solutions

Bug from ISP, excuse for the trouble

Jean-Luc

View solution in original post

5 REPLIES 5

L4 Transporter

Is the Cisco establishing the VPN tunnel with the Palo Alto firewall or the firewall is just in a pass through stage for ipsec traffic?

It somehow appears from the description the tunnel is terminating on the firewall. Correct me if I am wrong.

If that is the case and from the description of the two ip-addresses in use , you can use the the feature of secondary ip-address on the interface and not the sub-interfaces.

What I mean is the following:-

Trust Zone:-  Internal corporate network

Untrust Zone:-  Outside World

VPN zone :-  tunnel is in this zone. (VPN users)

sec-ipppp.PNG

From above, 10.30.6.59/24 is the interface address. However the VPN ike-gateway address can be set as a secondary ip-address on the interface as 10.30.6.110/32 as seen above.

Tunnel will be in VPN zone:-

vpntunnel.PNG

NAT rule should look like the following:-

One rule for the trust users and one for the  VPN users (Ip-pool)

vpm-nat.PNG

Also make sure you have security rules from VPN to Trust and the other way around.

And there is no explicit deny rule in the security rule base.

Let me know if this helps.

Regards

Hello,

The PA-200 is just pass-through.

And the problem is that the response is not correctly forwarded to the Cisco router. The IKE exchange get stuck in the middle :

From one side it says : MM_NO_STATE and from the other MM_SA_SETUP.

I will make a schema and post it.

could it be related to the two public link on the same physical interface ? If absolutely necessary I can ask to have the the two sub interface on two physical one.

thnaks trying to help

Jean-Luc

Jean,

If that is the case, we would like see the configuration and review logs on the firewall.

Does the second sub-interface have the ip-address in the same subnet as the first?

Regards

Hello,

Here is the schema:

REseau1.jpg

Hope this can help understanding.

I prefer to terminate the tunnel on the cisco router because we have vrf-lite configuration on it. And if we terminate the VPN on the Palo-Alto, they will not be vrf-aware

Bug from ISP, excuse for the trouble

Jean-Luc

  • 1 accepted solution
  • 5360 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!