This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site to Site VPN Tunnel - NAT

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Site to Site VPN Tunnel - NAT

Go to solution
panuser2018
L0 Member

‎02-11-2018 12:31 PM

Hello everbody,

 

I am most likely struggling with a NAT problem in a site to site VPN tunnel, hoping you have an idea or tip to this topic.

The setup is a site to site VPN tunnel between a PAN and a Cisco ASA.

There is a host (172.16.2.20) behind the PAN which should be reached through the VPN tunnel.

The problem is that the service provider behind the Cisco ASA access this hosts via a different IP address 172.44.33.20 so in my opinion I have to do NAT. The old firewall, which was from another vendor, had a DNAT rule configured for this.

 

The VPN tunnel looks good. If the service provider pings the 172.44.33.20 I see it in the traffic log. I allow ping via sec policy.

But the NAT rule doesn't work. 

I read about this article: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-NAT-for-a-Network-Not-C...

which describes the NAT configuration for networks not conncected to the firewall.

 

I added the 172.44.33.0/24 network to the 172.16.X.X interface so the PAN knows the network and treats it as trust.

So the 172.44.33.20 is in the trust zone since I added the network to the 172.16.X.X interface.

The tunnel is in the zone VPN. As proxy ids for the tunnel I entered both networks to be sure but I think 172.44.33.0/24 is the right one cause the service provider with the ASA has this in his ACL.

 

I tested DNAT rule and Bi-Directional NAT rule:

 

Bi-Directional NAT

source zone: trust

destination zone: VPN

destination interface: tunnel.4

source address: 172.16.2.20/32

destination address: any

service: any

source translation: static ip, 172.44.33.20/32, bi-direction:yes

destination translation: none

 

DNAT:

source zone: VPN

destination zone: VPN

destination interface: any

source address: any

destination address: 172.44.33.20/32

service: any

source translation: none

destination translaton: 172.16.2.20/32

 

VPN tunnel looks good, but ping goes through the tunnel to the 172.44.33.20 (which is a public IP) and there is no NAT to the real world ip address of the host 172.16.2.20.

 

I hope you have an idea where I am going wrong.


Thanks for your support!

Many greetings!

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎02-11-2018 11:27 PM

the DNAT policy will not work, as you attached the 172.44.33 network to your trust interface, (there is a route lookup prior to matching nat rules so this particular scenario would be vpn to trust)

 

if all else fails, stick the 172.44.33.20 on a loopback interface in the VPN zone, that will make your DNAT work

 

i would not use bidirectional NAT for this case as you're only looking to receive connections (plus the implied return policy has an 'any' for the source zone which I would personally try to avoid, with a destination of VPN which will not match due to the subnet being attached to your trust))

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Go to solution
reaper
Cyber Elite
Cyber Elite

‎02-11-2018 11:27 PM

the DNAT policy will not work, as you attached the 172.44.33 network to your trust interface, (there is a route lookup prior to matching nat rules so this particular scenario would be vpn to trust)

 

if all else fails, stick the 172.44.33.20 on a loopback interface in the VPN zone, that will make your DNAT work

 

i would not use bidirectional NAT for this case as you're only looking to receive connections (plus the implied return policy has an 'any' for the source zone which I would personally try to avoid, with a destination of VPN which will not match due to the subnet being attached to your trust))

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
panuser2018
L0 Member
In response to reaper

‎02-12-2018 04:18 AM

Hi reaper,

 

many thanks for the prompt reply.

With a loopback interface for the 172.44.33.20 and a DNAT from VPN to VPN it works 🙂

The any in the nat rule was only for testing purposes. Now I also changed the sec policy to allow only ping, icmp and rdp as application.

 

Many greetings

0 Likes Likes
  • 1 accepted solution
  • 4347 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks