NAT Over IPSEC VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT Over IPSEC VPN

Not applicable

Hi,

I am facing a problem with NAT over IPSEC VPN.

I am trying to configure the NAt for incoming traffic from the client over a site to site VPN and basically i want to do a destination translation of the IP they access to my internal server IP.

The Client is in VPN zone and my server sits in the DMZ

I configured Rule like this

Source zone(VPN)-Source IP(Client IP )- Destination Zone(DMZ) -Destination IP(Nated IP) -> NAT -Selected only destination  NAT that translate the NAted IP to my DMZ Server IP.

After doing this ,I don't see traffic hitting my firewall .I don't think this could be problem on the VPN as the other traffic over this VPN is working fine .

Issue happens only when I introduce this NAT ..

Can Anyone help here ?

7 REPLIES 7

L5 Sessionator

Hello BFCBahrain,

In your destination NAT, your destination zone should still be VPN zone in your original packet. Your security rule would be from VPN to DMZ zone.

You can refer to the following document for the same scenario on page 15-18 :

Understanding PAN-OS NAT

Let me know if that helps!

Thanks and regards,

Kunal Adak

Thanks a lot Kadak.

I have trired this from VPN to VPN and it did not help..

I have referred the doc and it points to another doc for NAT with VPN

Pleae check the page 9 of this and it says NAT rule is from VPN to Trust  !!

https://live.paloaltonetworks.com/docs/DOC-1594

Look at the below link where it says Policy should be from VPN to Untrust .

I tried this also and it did not help .I have an Untrust Zone where I have 2 ISPs are residing on it on 2 Virtual Interfaces.

1/1.1 and 1/1.2  .both are in Untrust-ISP and 1/1 is in Untrust

https://live.paloaltonetworks.com/docs/DOC-1676

Sorry I have gone tru once again .

Here i think I am using an IP that is not part of my Internal Address range .

So how do i route that IP ?Should I route the Nated IP address.

Can u pls guide.

L5 Sessionator

Hello Bahrain,

consider this when doing any nat.security policy,

the order of packet check is:

1) Destination Nat

2)routing table

3) Source nat

4) Security policy

So when you are doing destination nat destination zone is decided based on route for pre-natted ip address.

Regards,

Hari Yadavalli

Hi Hyadavalli,

Can you please give me more information ..

I gave my scenario ..can u pls help

If you're using an IP address that does not exist on the PA-firewall as your natted-IP, then it means the firewall does not know how to route to this IP normally.

Try using a PBF policy to forward the traffic to your DMZ interface and/or next-hop.

Remember that the firewall makes decisions based on zones. If the IP address is not on any interface on the firewall, then that IP address does not belong to any zones, hence, the firewall does not know what to do with the packets.

Regards,

tasonibare

Hello,

So in your case.

Check in routing table for the natted IP(Not dmz server IP) to verify what ineterface it points to and look for the zone the interface specified to and use that in destination zone for destination nat.

Regards,

Hari Yadavalli

  • 5836 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!