VPN Site-to-Site Private IP and Public IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Site-to-Site Private IP and Public IP

L4 Transporter

VPN Site-to-Site Private IP and Public IP

Good afternoon everyone, is it possible to set up a Site-to-Site VPN between a site with a Palo Alto Private IP and a Palo Alto Public IP.


Site Privado: PaloAlto---IpWan-192.168.1.254---Router/Modem--------Internet-------Site Publico:IPWan:190.100.100.200

Thank you very much for your help and support, I remain attentive.

Best regards

High Sticker
7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

Yes it is! On the PAN with the private IP address make sure to give it a Local IP Address in the IKE Gateway setting.

OtakarKlier_0-1628107014575.png

 

Then on the other PAN point the IKE gateway at the public IP address however in the Ike Gateway, put in the Peer Address:

OtakarKlier_1-1628107087842.png

Hope that helps.

@OtakarKlier 

Good afternoon, thank you for your reply.

On the private IP side, I don't need to do any NAT or Port-Forwarding ?
That configuration would be enough ?

I remain attentive, thank you very much

High Sticker

L1 Bithead

Hi, any details setting for the ike gateway for both site?

I need create port forward at the site using internal ip as wan ip (udp500,udp4500) on my ISP router?

 

Cyber Elite
Cyber Elite

Hello,

For your ISP router, dont have it filter anything. Leave it wide open and let the Palo Alto handle the traffic.

Just my thoughts.

Regards,

Cyber Elite
Cyber Elite

Hello @Metgatz 

Apologies for the late response. For the VPN tunnel, no. If the traffic is going out the internet, then internal to external traffic will need attention.

Regards,

Hello @OtakarKlier thank you for your reply and collaboration.

 

I understand that it is feasible, I have not had to do it, but I understand that it is possible to do the following.

Scenario:

-Palo Alto Firewall Static Public IP directly connected to PA Interface.

-Firewall fortigate behind traditional Modem/Route/OTN almost domiciliary with Dynamica public IP but with private IP in

its WAN interface of the fortigate.

 

I.e.:

PaloAlto-Untrust-Interface-Static dedicated Public IP=======Internet=====VPN-Site-to-Site=============Dynamic-IP-traditional-Internet-Modem-ISP=====NAT===Private WAN IP Fortigate.

 

I can set up a Site to Site VPN tunnel between a Palo Alto FW with dedicated static public IP coming directly to the AP against a Fortigate firewall behind a traditional ISP modem/router/nat.

 

Is it feasible to realize this IPSEC tunnel, that is stable, operates correctly ?

 

What aspects, configurations, settings, etc. should I consider when making this configuration?

 

Thanks as always for the collaboration, good vibes and for all the advice and your time in answering.

 

Greetings and very attentive to your comments.

High Sticker

Cyber Elite
Cyber Elite

Hello,

I not know the Fortigate devices well but on the Palo Alto you will setup the following:

Network > Network Profiles > IKE Gateways > General

  • Peer IP Address = the public IP address on the other side (Fortigate side of hte ISP moden doing the NAT)
  • Peer Identification = the Private NAT'ed IP of the Fortigate device.

Hope this helps.

 

Regards,

  • 3687 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!