This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Network address Translation (NAT) support for IPSec ESP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Network address Translation (NAT) support for IPSec ESP

jrhine
Not applicable

‎08-20-2012 04:55 PM

I have an IPSEC tunnel with a third party and they require that all traffic coming from me to be NATted as they will only accept data traffic coming from the IP of the NAT within the IPSEC tunnel.

I have been unsuccesfull in trying to figure out how exactly this NAT within an IPSEC tunnel can be applied on a Palo Alto 5020 and would appreciate any comments from other people who have possibly done this before.

Labels:
0 Likes Likes
1 REPLY 1

mike_lutgen
Not applicable

‎08-25-2012 03:04 PM

Hello,

This is not a terribly difficult task if you are familiar with how NATing generally works on the PAN firewall.  There is one main thing that you will need to make sure though - that the tunnel interface you specified for the tunnel is in a separate zone from the traffic that will be going across the tunnel.  As long as you have this done, you will build the NAT rule like this:

Source Zone: <your source traffic zone(s)>

Destination Zone: <your VPN tunnel interface zone>

Source Address: any (or restricted to a specific IP if you like)

Source Translation: You have a couple of options here depending on exactly what traffic you are sending across.

     1. If it's coming from multiple hosts specify Dynamic IP and Port and then Translated Address.  In the area where you specify an address, either select/create an address object for the address that you are NATing to, or you can just type an address in the field as well.

     2. If it's coming from a single host, you can do the first option, or you can specify it as Static IP and then in the Translated Address area, specify/create an address object for the address that you are NATing to or again, you can just type an address into the field.

This is all you should have to do, the rule will look very much like your source NAT policy that translates your user traffic out to the internet except your destination zone will be the zone that your tunnel interface is in and you will not be specifying "Interface Address" as the Source Translated Address.

One thing to keep in mind, if your VPN tunnel is currently in the same zone as your trusted network, when you apply a different zone to it, you will need to make sure to add the appropriate firewall rules so that traffic can flow correctly.

Mike

  • 4324 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks