08-27-2022 10:36 PM
Hi Team,
2 queries.
1. I have 2 physical interfaces on which i have configured multiple sub-interfaces.
say for eg eth1/7 - eth1/7.1, eth1/7.2, eth1/7.3
eth 1/8 - eth1/8.20, eth1/8.21, eth1/8.22.
and my both physical and subinterfaces are in same zone - say trust zone.
Now i have an urgent requirement and i cannot addup new physical interface so can i add a new subinterface in either 1/7 or 1/8 eg eth1/7.5 or eth1/8.25 and can i add it to a new zone ?? and create policies or Inbound nat policies on that interface.
Little confused if that will work. Appreciate if someonce can guide few points on this.
2nd query.
---------------------
I am creating IPsec tunnel with AWS CGW, so it ask to create 2 tunnels, and it says to create PBF, NAT-no nat, tunnel monitor, i have created all that but still both of phases are still down, can someone share me documents i can refer to create tunnel with aws cgw.
regards,
08-29-2022 12:21 PM
Hello,
For the first question, yes. The interfaces can be in different zones. For the second question. Sounds like phase 1 and 2 are not configured correctly on both sides.
Regards,
08-29-2022 12:53 PM
Yes you were right, phase 1 and config was incorrect, also found something strange, customer configured at aws end - Phase 1 as group 5 , sha1, and aes-128-cbc but in the configuration file which is downloaded from aws end shows different config, that is why we configured different parameters on PA end.
now both tunnels are up.
and fir the 1st query - I have question.
lets say i have eth1/7 with multiple subinterfaces
1/7.1, 1/7.2, 1/7.3 - DMz_1 zone
1/7.4 Dmz_2 zone
for DMZ 2 zone my actual traffic is coming from tunnel -aws - AWS zone.
now i need to DNAT that traffic on private pool IP’s
how can i create DNT policy for this scenario??
08-29-2022 01:23 PM
Unless you have overlapping subnets, ie same subnet on both sides of the tunnel. I wouldnt nat the traffic.
08-30-2022 12:28 AM
Hello OtakarKlier
DNAT Policy
original packet
----------------------------
Source Zone - AWS Zone
Destination Zone - Aws Zone
Source Address- Peer subnets
Destination addr - my dmz SUB-interface IP - 10.240.x.x
Destination interface - tunnel.9
Services - any
translated packet
-----------------------------
Destination NAT
Static
IP - PRivate ip - 10.34.x.x
translated port - ---- any ---
Security policy
------------------
Src zone - AWS ZOne
src addr - peer subnets
destzone - DMZ ZONE
dest addr - 10.34.x.x
Service - https , http
Action - allow
Will this be correct if my traffic is coming from aws tunnel ??
Please guide if m wrong in any part .
09-06-2022 12:24 AM
Subnets are different say one side is 10.34.x.x and another side is 10.2.x.x
but still if i want to hide my backend pool IP's I can do the NAT right ?
09-06-2022 11:11 AM
Hello,
You can. But can get very complicated.
Regards,
09-06-2022 11:16 AM
Thanks otakarklier. I have tested the same it works successfully.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
