Guys and Gals,
I have been working to set up NAT-T across an IPSec tunnel between two PA-200's in my lab and am not having success. I have followed documentation and suggestions I could find on this site, but I am unable to get NAT-T working and was wondering if anyone out there could help. In testing I first setup the tunnel with NAT-T configured. On initial configuration, the tunnels came up, but I could not reach the remote firewalls by their assigned NAT IP address across the tunnel. I removed NAT from the equation to make sure my IPSEC tunnel was working. Once I did this, I could get to the remote firewalls across the tunnel using their real IP addresses. So I didn't have to flip back and forth I left the real IP configuration and re-added my NAT configuration, but am still not able to reach the remote side.
Here is my topology. The firewall interfaces are Layer 3 interfaces:
The Cable Modem they connect to has a 4-port switch on the back. The Peer addresses are on the same subnet and are in zone Internet. I have created tunnel.1 and put it in zone IPSEC, and I have a zone named LAN serving DHCP addresses to clients. I want to be able to hit the management interface of the remote firewall over the IPSEC tunnel using the NAT IP address in the topology diagram. To do this I have configured a source NAT and static NAT on both sides.
NAT statement Firewall 1:
Security Policy Firewall 1:
Routing Table Firewall 1:
NAT Statements Firewall 2:
Security Policy Firewall 2:
Routing Table Firewall 2:
I suspect the issue lies within the monitor log. With ICMP pings going across the tunnel I see this in the traffic log:
This tells me the Remote firewall is applying the NAT policy, and it is coming across the tunnel correctly, but I'm not sure why the destination zone is the Internet zone and not the LAN zone. As an aside, if you look at my security policies, you'll see a disabled rule named "tunnel traffic for NAT" this security policy rule allowed zone IPSEC to Internet, but having this rule in place just changed the rule name in the traffic logs. Traffic between a local machine and the remote firewall would not pass. Any clarity on why the firewall is putting the destination zone as Internet, and how I can get the firewall to correctly forward this to the LAN instead would be greatly appreciated.
So, while I was writing this all out for the forum, I changed my STATIC NAT statement from source zone LAN - destination zone IPSEC to source zone LAN - destination zone Internet on both firewalls, everything began working.
Traffic Log:
Session ID Info:
I guess my question now is why did I need to change the static NAT destination zone from IPSEC to Internet, and once I did that why did the "to zone" in the traffic logs change from Internet to LAN?
