08-28-2014 12:38 PM
Guys and Gals,
I have been working to set up NAT-T across an IPSec tunnel between two PA-200's in my lab and am not having success. I have followed documentation and suggestions I could find on this site, but I am unable to get NAT-T working and was wondering if anyone out there could help. In testing I first setup the tunnel with NAT-T configured. On initial configuration, the tunnels came up, but I could not reach the remote firewalls by their assigned NAT IP address across the tunnel. I removed NAT from the equation to make sure my IPSEC tunnel was working. Once I did this, I could get to the remote firewalls across the tunnel using their real IP addresses. So I didn't have to flip back and forth I left the real IP configuration and re-added my NAT configuration, but am still not able to reach the remote side.
Here is my topology. The firewall interfaces are Layer 3 interfaces:
The Cable Modem they connect to has a 4-port switch on the back. The Peer addresses are on the same subnet and are in zone Internet. I have created tunnel.1 and put it in zone IPSEC, and I have a zone named LAN serving DHCP addresses to clients. I want to be able to hit the management interface of the remote firewall over the IPSEC tunnel using the NAT IP address in the topology diagram. To do this I have configured a source NAT and static NAT on both sides.
NAT statement Firewall 1:
Security Policy Firewall 1:
Routing Table Firewall 1:
NAT Statements Firewall 2:
Security Policy Firewall 2:
Routing Table Firewall 2:
I suspect the issue lies within the monitor log. With ICMP pings going across the tunnel I see this in the traffic log:
This tells me the Remote firewall is applying the NAT policy, and it is coming across the tunnel correctly, but I'm not sure why the destination zone is the Internet zone and not the LAN zone. As an aside, if you look at my security policies, you'll see a disabled rule named "tunnel traffic for NAT" this security policy rule allowed zone IPSEC to Internet, but having this rule in place just changed the rule name in the traffic logs. Traffic between a local machine and the remote firewall would not pass. Any clarity on why the firewall is putting the destination zone as Internet, and how I can get the firewall to correctly forward this to the LAN instead would be greatly appreciated.
08-28-2014 01:01 PM
So, while I was writing this all out for the forum, I changed my STATIC NAT statement from source zone LAN - destination zone IPSEC to source zone LAN - destination zone Internet on both firewalls, everything began working.
Session ID Info:
I guess my question now is why did I need to change the static NAT destination zone from IPSEC to Internet, and once I did that why did the "to zone" in the traffic logs change from Internet to LAN?
08-28-2014 01:28 PM
Pre-Nat rule matching will use a route look up to match the NAT rule prior to applying NAT. I'm guessing 10.10.2.10 would go our the internet zone.
08-28-2014 02:34 PM
The network 10.10.2.0/24 was marked to go across the tunnel.1 interface for my IPSEC tunnel as a destination network in the routing table. I was expecting even if the NAT was misconfigured, the destination zone would be the IPSEC zone since the traffic came across the tunnel. Instead, until I changed the NAT statement, the firewall was trying to send the traffic destined from zone IPSEC to 10.10.1.10 to the Internet zone instead of NAT-ing the packet to the LAN zone. But, because routes are configured with destination subnets in the routing table, there was not entry in its routing table for 10.10.1.0/24 and the firewall defaulted to its default route during it's pre-nat lookup. I was assuming the firewall would know that traffic destined for 10.10.1.10 (local static nat entry) would nat from zone IPSEC to zone LAN, when in actuality, it looks like the firewall had to send it out it's default route (pre-NAT route lookup), examine NAT policy, and then redirect the packet to the LAN zone.
Do I just need to read up more on how the flow goes for NAT rules, or is there a better way to configure this?
08-29-2014 07:50 AM
See this document. You'll notice prior to the NAT policy look up there's a forwarding lookup. The information applied from this forward look up is what is used to match the nat rule (important to note it is not used to match the security rule).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!