NAT over IPSEC VPN without an IP on the Tunnel interface

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

NAT over IPSEC VPN without an IP on the Tunnel interface

Does anyone know if it is possible to NAT over an IPSEC VPN without assigning an IP address on the tunnel interface itself?

 

I tried but it doesn't seem possible.

 

Help!

 

Thanks,

 

Duane

Highlighted
L2 Linker

What kind of NAT are you trying to do?

It is possible to do dynamic-ip-and-port source NAT for sure, I haven't triend other scenarios.

Highlighted
L7 Applicator

Hi Duane

 

you can try adding a loopback interface in the same zone as the vpn interface, then create a nat rule using dynamic ip+port and nat sourced from the loopback

 

2016-02-29_08-13-10.png

2016-02-29_08-14-57.png

 

depending on your remote peer you may need to account for this by using proxy-IDs

2016-02-29_08-17-12.png

 

hope this helps

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L3 Networker

If you want to  configure a NAT rule you should be having an ip address on the interface either statically or assisgned via DHCP

 

Else that will  be a Not nat rule for the traffic

 

Are you trying to  use tunnel interface in NAT rule  ? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!