This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto Proxy IDs Bidirectional?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Proxy IDs Bidirectional?

Go to solution
JTDMHSUPPORT
L2 Linker

‎10-24-2023 11:03 AM

Hi everyone,

I am a bit confused about proxy IDs when it comes to tunnel negotiation. Lets say I have a tunnel I am building with a vendor. My encryption domain will be 192.168.1.0/24 and my vendor will have 192.168.2.0/24. So lets also say the vendor has an ASA so I will add this proxy id to my phase 2 config: Source 192.168.1.0/24 Destination 192.168.2.0/24. Here is my question: Lets say I need the vendor to also be able to send traffic to me as well as receive my traffic. Is my proxy id bi-directional for the purpose of the vendor being able to initiate/negotiate the tunnel? OR do I need another proxy id as such: Source 192.168.2.0/24 Destination 192.168.1.0/24

Thanks for the help.

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-24-2023 11:19 AM

ProxyID is not source/destination but local/remote instead.

It means they are bi-directional.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

(1)

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-26-2023 12:05 PM

Palo don't care but other end is most likely policy based firewall that routes traffic based on those ProxyID's / encryption domains so most likely yes you need ProxyID for every pair of subnets.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

(1)
12 REPLIES 12

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-24-2023 11:19 AM

ProxyID is not source/destination but local/remote instead.

It means they are bi-directional.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
(1)

Go to solution
JTDMHSUPPORT
L2 Linker
In response to Raido_Rattameister

‎10-26-2023 10:40 AM

Thank you. One additional question: 

Lets say I have the following proxyIDs built:

ProxyID1            LOCAL 192.168.2.0/24                  REMOTE 10.1.1.0/24

ProxyID2            LOCAL 192.168.10.0/24               REMOTE 10.50.1.0/24

Here is my question, for LOCAL 192.168.10.0 to be able to pass traffic back and forth with REMOTE 10.1.1.0, do I need a separate proxy ID such as this: LOCAL 192.168.10.0 REMOTE 10.1.1.0 ?

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-26-2023 12:05 PM

Palo don't care but other end is most likely policy based firewall that routes traffic based on those ProxyID's / encryption domains so most likely yes you need ProxyID for every pair of subnets.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
(1)

Go to solution
JTDMHSUPPORT
L2 Linker

‎10-30-2023 08:06 AM

Hi again Raido, thanks for all of your help. I ran across something else I am questioning in my PA440 config. When there is a NAT rule created for an ipsec tunnel for example: Source address 192.168.1.0/24 Destination address 152.2.0.0/16 Source translation 10.77.120.212 and bidirectional is yes. I only need a static route for the PRE-NAT ip address correct?

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-30-2023 08:43 AM

Palo virtual router will route based on POST-NAT destination IP.

In your example you don't seem to change destination IP but source IP so destination PRE-NAT and POST-NAT IPs are the same (unless I misunderstand your requirement to also NAT destination IP).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
JTDMHSUPPORT
L2 Linker
In response to Raido_Rattameister

‎10-30-2023 08:58 AM

I am creating a source nat rule and setting it to bi-directional so the destination nat rule is auto created by the firewall. This means when I view nat rules from command line i see this:

"Example1; index: 86" {
nat-type ipv4;
from inside;
source 192.168.1.0;
to l2lvpn;
to-interface ;
destination 152.2.0.0/16;
service 0:any/any/any;
translate-to "src: 10.77.120.212 (static-ip) (pool idx: 24)";
terminal no;
}

"Example1; index: 87" {
nat-type ipv4;
from any;
source any;
to l2lvpn;
to-interface ;
destination 10.77.120.212;
service 0:any/any/any;
translate-to "dst: 192.168.1.0";
terminal no;
}

My question is, when I create my static routes for the tunnel, do I need a static route for 152.2.0.0 or for my source nat address 10.77.120.212

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-30-2023 09:28 AM

I usually prefer not to use bi-directional NAT rules and create 2 rules myself for better control due how bi-directional option messes up zones.

 

Your example shows that one way source zone is "inside" and destination zone is "l2lvpn"

Other way source zone is "any" and destination zone is "l2lvpn"

 

But if you don't have 10.77.120.212 in your routing table then destination zone should be "outside" instead for nat policy to match for traffic initiated from peer side.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
JTDMHSUPPORT
L2 Linker
In response to Raido_Rattameister

‎10-30-2023 09:54 AM

JTDMHSUPPORT_0-1698684783012.pngJTDMHSUPPORT_1-1698684818985.png

 

Which one of these would be correct given my nat rule example? Sorry, I do not do enough networking to be well versed with it =(

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-30-2023 09:56 AM

Can you share screenshot of your NAT policy as well but I would say that destination needs to be

152.2.0.0/16

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
JTDMHSUPPORT
L2 Linker
In response to JTDMHSUPPORT

‎10-30-2023 10:17 AM

JTDMHSUPPORT_2-1698686226287.png

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎10-30-2023 11:20 AM

Do you need to use 10.77.120.212 only or can you use /24 subnet like example below?

 

Raido_Rattameister_0-1698690022761.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
JTDMHSUPPORT
L2 Linker
In response to Raido_Rattameister

‎10-30-2023 11:22 AM

I can use subnet like your example.

0 Likes Likes
  • 2 accepted solutions
  • 1622 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks