- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-06-2013 09:38 AM
Hi,
I am facing a problem with NAT over IPSEC VPN.
I am trying to configure the NAt for incoming traffic from the client over a site to site VPN and basically i want to do a destination translation of the IP they access to my internal server IP.
The Client is in VPN zone and my server sits in the DMZ
I configured Rule like this
Source zone(VPN)-Source IP(Client IP )- Destination Zone(DMZ) -Destination IP(Nated IP) -> NAT -Selected only destination NAT that translate the NAted IP to my DMZ Server IP.
After doing this ,I don't see traffic hitting my firewall .I don't think this could be problem on the VPN as the other traffic over this VPN is working fine .
Issue happens only when I introduce this NAT ..
Can Anyone help here ?
12-06-2013 11:42 AM
Hello BFCBahrain,
In your destination NAT, your destination zone should still be VPN zone in your original packet. Your security rule would be from VPN to DMZ zone.
You can refer to the following document for the same scenario on page 15-18 :
Let me know if that helps!
Thanks and regards,
Kunal Adak
12-06-2013 01:28 PM
Thanks a lot Kadak.
I have trired this from VPN to VPN and it did not help..
I have referred the doc and it points to another doc for NAT with VPN
Pleae check the page 9 of this and it says NAT rule is from VPN to Trust !!
https://live.paloaltonetworks.com/docs/DOC-1594
Look at the below link where it says Policy should be from VPN to Untrust .
I tried this also and it did not help .I have an Untrust Zone where I have 2 ISPs are residing on it on 2 Virtual Interfaces.
1/1.1 and 1/1.2 .both are in Untrust-ISP and 1/1 is in Untrust
12-06-2013 01:41 PM
Sorry I have gone tru once again .
Here i think I am using an IP that is not part of my Internal Address range .
So how do i route that IP ?Should I route the Nated IP address.
Can u pls guide.
12-07-2013 08:01 AM
Hello Bahrain,
consider this when doing any nat.security policy,
the order of packet check is:
1) Destination Nat
2)routing table
3) Source nat
4) Security policy
So when you are doing destination nat destination zone is decided based on route for pre-natted ip address.
Regards,
Hari Yadavalli
12-08-2013 11:00 AM
Hi Hyadavalli,
Can you please give me more information ..
I gave my scenario ..can u pls help
12-08-2013 11:12 PM
If you're using an IP address that does not exist on the PA-firewall as your natted-IP, then it means the firewall does not know how to route to this IP normally.
Try using a PBF policy to forward the traffic to your DMZ interface and/or next-hop.
Remember that the firewall makes decisions based on zones. If the IP address is not on any interface on the firewall, then that IP address does not belong to any zones, hence, the firewall does not know what to do with the packets.
Regards,
tasonibare
12-09-2013 09:26 AM
Hello,
So in your case.
Check in routing table for the natted IP(Not dmz server IP) to verify what ineterface it points to and look for the zone the interface specified to and use that in destination zone for destination nat.
Regards,
Hari Yadavalli
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!