NAT Traversal over IPSEC Tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT Traversal over IPSEC Tunnel

L3 Networker

Guys and Gals,
I have been working to set up NAT-T across an IPSec tunnel between two PA-200's in my lab and am not having success.  I have followed documentation and suggestions I could find on this site, but I am unable to get NAT-T working and was wondering if anyone out there could help.  In testing I first setup the tunnel with NAT-T configured.  On initial configuration, the tunnels came up, but I could not reach the remote firewalls by their assigned NAT IP address across the tunnel.  I removed NAT from the equation to make sure my IPSEC tunnel was working.  Once I did this, I could get to the remote firewalls across the tunnel using their real IP addresses.  So I didn't have to flip back and forth I left the real IP configuration and re-added my NAT configuration, but am still not able to reach the remote side.

Here is my topology.  The firewall interfaces are Layer 3 interfaces:

Screenshot - 8_28_2014 , 3_04_26 PM.png

The Cable Modem they connect to has a 4-port switch on the back.  The Peer addresses are on the same subnet and are in zone Internet.  I have created tunnel.1 and put it in zone IPSEC, and I have a zone named LAN serving DHCP addresses to clients.  I want to be able to hit the management interface of the remote firewall over the IPSEC tunnel using the NAT IP address in the topology diagram.  To do this I have configured a source NAT and static NAT on both sides.

NAT statement Firewall 1:

Screenshot - 8_28_2014 , 3_10_42 PM.png

Security Policy Firewall 1:

Screenshot - 8_28_2014 , 3_13_24 PM.png

Routing Table Firewall 1:

Screenshot - 8_28_2014 , 3_14_51 PM.png

NAT Statements Firewall 2:

Screenshot - 8_28_2014 , 3_16_48 PM.png

Security Policy Firewall 2:

Screenshot - 8_28_2014 , 3_17_46 PM.png

Routing Table Firewall 2:

Screenshot - 8_28_2014 , 3_18_54 PM.png

I suspect the issue lies within the monitor log.  With ICMP pings going across the tunnel I see this in the traffic log:

Screenshot - 8_28_2014 , 3_24_50 PM.png

This tells me the Remote firewall is applying the NAT policy, and it is coming across the tunnel correctly, but I'm not sure why the destination zone is the Internet zone and not the LAN zone.  As an aside, if you look at my security policies, you'll see a disabled rule named "tunnel traffic for NAT"  this security policy rule allowed zone IPSEC to Internet, but having this rule in place just changed the rule name in the traffic logs.  Traffic between a local machine and the remote firewall would not pass.  Any clarity on why the firewall is putting the destination zone as Internet, and how I can get the firewall to correctly forward this to the LAN instead would be greatly appreciated.


L3 Networker

So, while I was writing this all out for the forum, I changed my STATIC NAT statement from source zone LAN - destination zone IPSEC to source zone LAN - destination zone Internet on both firewalls, everything began working.

Traffic Log:

Screenshot - 8_28_2014 , 3_50_37 PM.png

Session ID Info:

Screenshot - 8_28_2014 , 3_58_51 PM.png

I guess my question now is why did I need to change the static NAT destination zone from IPSEC to Internet, and once I did that why did the "to zone" in the traffic logs change from Internet to LAN?

Pre-Nat rule matching will use a route look up to match the NAT rule prior to applying NAT. I'm guessing would go our the internet zone.


The network was marked to go across the tunnel.1 interface for my IPSEC tunnel as a destination network in the routing table.  I was expecting even if the NAT was misconfigured, the destination zone would be the IPSEC zone since the traffic came across the tunnel.  Instead, until I changed the NAT statement, the firewall was trying to send the traffic destined from zone IPSEC to to the Internet zone instead of NAT-ing the packet to the LAN zone.  But, because routes are configured with destination subnets in the routing table, there was not entry in its routing table for and the firewall defaulted to its default route during it's pre-nat lookup. I was assuming the firewall would know that traffic destined for (local static nat entry) would nat from zone IPSEC to zone LAN, when in actuality, it looks like the firewall had to send it out it's default route (pre-NAT route lookup), examine NAT policy, and then redirect the packet to the LAN zone. 

Do I just need to read up more on how the flow goes for NAT rules, or is there a better way to configure this?

Packet Flow in PAN-OS

See this document. You'll notice prior to the NAT policy look up there's a forwarding lookup. The information applied from this forward look up is what is used to match the nat rule (important to note it is not used to match the security rule).


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!