Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-04-2019 06:55 AM
Hi All,
I'm in the middle of migrating a series of PAs from one customer to another. The newer system is on version 8.1.10, the other is on 8.0.14.
I have configured the VPNs each with a seperate tunnel, pretty standard stuff. I am creating some specific NAT rules for a couple of the tunnels and hit a brick wall... the tunnels have a local IP and peer address. When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none but it fails the commit config stating the address is missing. The drop down box has no addresses, just none. In the old config it is configured with no IP address for the nat.
Any ideas?
Regards
Adrian
10-04-2019 07:52 AM
I,
Don't really understand why you need source Nat in your tunnel but doesn't matter.
If you want to source nat traffic in your vpn tunnel, either you select nat based on interface, select tunnel int then you tunnel IP or you select translated Address and you give the IP you want. Of course, configure your nat as dynamic IP and Port.
Rgds
V.
10-04-2019 08:10 AM
Hi @a.jones ,
It sounds that you are mistaken tunnel interface with IPsec tunnel source interface.
- " the tunnels have a local IP and peer address." - local IP and peer address are the public address of your gateway and the remote device that will be used for building the IPsec tunnel. In addition Palo Alto is using route-based VPN implementation. Which means that if you want to send traffic through the tunnel you need to have a route in the routing table pointing to that tunnel. Since the "tunnel" is logical (it doesn't exists physically) you need a logical (virtual) interface that is bound to that tunnel.
- "When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none" - It sounds that you have bound your IPsec tunnel with tunnel interface that has no IP configured. While a tunnel interface can be configured without IP address, such source NAT rule is not valid. If you think about it you said to your FW - for source nat use the address for this interface which doesn't have ip assigned...
The two solutions would be:
- Configure your Source NAT DIPP rule with "Translated address" instead of "Interface address" and define the address you want to use for the hide nat
- Assign an IP address on the tunnel interface that is bound to your IPsec tunnel. After that you should be able to use it in source nat rule
I don't believe there is any difference between the two. Most important in both cases is that your proxy-id should use the NAT address as local. And at the same time the remote side of the tunnel should use the NAT address as remote proxy-id
10-14-2019 07:57 AM
Thanks all.
Although it seems a stupid question, I am migrating the current setup and then end customer wants it identical which is a problem, hence asking the question.
Unfortunately this is not the best or easiest migration in the world. The customer cannot provide access to the firewall, they have limited access to the firewall as it's managed by a 3rd party and that 3rd party is being a pain in the proverbial as they lost the contract.
I'm reviewing the setup to try and improve.
Regards
Adrian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
