Palo Alto Proxy IDs Bidirectional?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Proxy IDs Bidirectional?

L2 Linker

Hi everyone,

I am a bit confused about proxy IDs when it comes to tunnel negotiation. Lets say I have a tunnel I am building with a vendor. My encryption domain will be 192.168.1.0/24 and my vendor will have 192.168.2.0/24. So lets also say the vendor has an ASA so I will add this proxy id to my phase 2 config: Source 192.168.1.0/24 Destination 192.168.2.0/24. Here is my question: Lets say I need the vendor to also be able to send traffic to me as well as receive my traffic. Is my proxy id bi-directional for the purpose of the vendor being able to initiate/negotiate the tunnel? OR do I need another proxy id as such: Source 192.168.2.0/24 Destination 192.168.1.0/24

Thanks for the help.

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

ProxyID is not source/destination but local/remote instead.

It means they are bi-directional.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Cyber Elite
Cyber Elite

Palo don't care but other end is most likely policy based firewall that routes traffic based on those ProxyID's / encryption domains so most likely yes you need ProxyID for every pair of subnets.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

12 REPLIES 12

Cyber Elite
Cyber Elite

ProxyID is not source/destination but local/remote instead.

It means they are bi-directional.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you. One additional question: 

Lets say I have the following proxyIDs built:

ProxyID1            LOCAL 192.168.2.0/24                  REMOTE 10.1.1.0/24

ProxyID2            LOCAL 192.168.10.0/24               REMOTE 10.50.1.0/24

Here is my question, for LOCAL 192.168.10.0 to be able to pass traffic back and forth with REMOTE 10.1.1.0, do I need a separate proxy ID such as this: LOCAL 192.168.10.0 REMOTE 10.1.1.0 ?

Cyber Elite
Cyber Elite

Palo don't care but other end is most likely policy based firewall that routes traffic based on those ProxyID's / encryption domains so most likely yes you need ProxyID for every pair of subnets.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Hi again Raido, thanks for all of your help. I ran across something else I am questioning in my PA440 config. When there is a NAT rule created for an ipsec tunnel for example: Source address 192.168.1.0/24 Destination address 152.2.0.0/16 Source translation 10.77.120.212 and bidirectional is yes. I only need a static route for the PRE-NAT ip address correct?

 

Cyber Elite
Cyber Elite

Palo virtual router will route based on POST-NAT destination IP.

In your example you don't seem to change destination IP but source IP so destination PRE-NAT and POST-NAT IPs are the same (unless I misunderstand your requirement to also NAT destination IP).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I am creating a source nat rule and setting it to bi-directional so the destination nat rule is auto created by the firewall. This means when I view nat rules from command line i see this:

"Example1; index: 86" {
nat-type ipv4;
from inside;
source 192.168.1.0;
to l2lvpn;
to-interface ;
destination 152.2.0.0/16;
service 0:any/any/any;
translate-to "src: 10.77.120.212 (static-ip) (pool idx: 24)";
terminal no;
}

"Example1; index: 87" {
nat-type ipv4;
from any;
source any;
to l2lvpn;
to-interface ;
destination 10.77.120.212;
service 0:any/any/any;
translate-to "dst: 192.168.1.0";
terminal no;
}

My question is, when I create my static routes for the tunnel, do I need a static route for 152.2.0.0 or for my source nat address 10.77.120.212

Cyber Elite
Cyber Elite

I usually prefer not to use bi-directional NAT rules and create 2 rules myself for better control due how bi-directional option messes up zones.

 

Your example shows that one way source zone is "inside" and destination zone is "l2lvpn"

Other way source zone is "any" and destination zone is "l2lvpn"

 

But if you don't have 10.77.120.212 in your routing table then destination zone should be "outside" instead for nat policy to match for traffic initiated from peer side.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

JTDMHSUPPORT_0-1698684783012.pngJTDMHSUPPORT_1-1698684818985.png

 

Which one of these would be correct given my nat rule example? Sorry, I do not do enough networking to be well versed with it =(

Cyber Elite
Cyber Elite

Can you share screenshot of your NAT policy as well but I would say that destination needs to be

152.2.0.0/16

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

JTDMHSUPPORT_2-1698686226287.png

 

Cyber Elite
Cyber Elite

Do you need to use 10.77.120.212 only or can you use /24 subnet like example below?

 

Raido_Rattameister_0-1698690022761.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I can use subnet like your example.

  • 2 accepted solutions
  • 2294 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!