Sub-interface and zone || IPSec tunnel with AWS

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sub-interface and zone || IPSec tunnel with AWS

L3 Networker

Hi Team,


2 queries.


1. I have 2 physical interfaces on which i have configured multiple sub-interfaces.

 say for eg eth1/7 - eth1/7.1, eth1/7.2, eth1/7.3 

  eth 1/8 - eth1/8.20, eth1/8.21, eth1/8.22.

and my both physical and subinterfaces are in same zone - say trust zone.


Now i have an urgent requirement and i cannot addup new physical interface so can i add a new subinterface in either 1/7 or 1/8 eg eth1/7.5 or eth1/8.25 and can i add it to a new zone ?? and create policies or Inbound nat policies on that interface.


Little confused if that will work. Appreciate if someonce can guide few points on this.



2nd query.



I am creating IPsec tunnel with AWS CGW, so it ask to create 2 tunnels, and it says to create PBF, NAT-no nat, tunnel monitor, i have created all that but still both of phases are still down, can someone share me documents i can refer to create tunnel with aws cgw.




1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite


You can. But can get very complicated.



View solution in original post


Cyber Elite
Cyber Elite


For the first question, yes. The interfaces can be in different zones. For the second question. Sounds like phase 1 and 2 are not configured correctly on both sides. 


Yes you were right, phase 1 and config was incorrect, also found something strange, customer configured at aws end - Phase 1 as group 5 , sha1, and aes-128-cbc but in the configuration file which is downloaded from aws end shows different config, that is why we configured different parameters on PA end.


now both tunnels are up. 


and fir the 1st query - I have question.


lets say i have eth1/7 with multiple subinterfaces 


1/7.1, 1/7.2, 1/7.3 - DMz_1 zone

1/7.4 Dmz_2 zone


for DMZ 2 zone my actual traffic is coming from tunnel -aws - AWS zone.


now i need to DNAT that traffic on private pool IP’s 


how can i create DNT policy for this scenario??



Cyber Elite
Cyber Elite

Unless you have overlapping subnets, ie same subnet on both sides of the tunnel. I wouldnt nat the traffic.

Hello OtakarKlier


DNAT Policy

original packet


Source Zone - AWS Zone

Destination Zone - Aws Zone

Source Address- Peer subnets

Destination addr - my dmz SUB-interface IP - 10.240.x.x

Destination interface - tunnel.9

Services - any


translated packet 



Destination NAT


IP - PRivate ip - 10.34.x.x

translated port - ---- any ---


Security policy



Src zone  - AWS ZOne

src addr - peer subnets


destzone - DMZ ZONE

dest addr - 10.34.x.x


Service - https , http


Action - allow



Will this be correct if my traffic is coming from aws tunnel ??


Please guide if m wrong in any part .

Subnets are different say one side is 10.34.x.x and another side is 10.2.x.x


but still if i want to hide my backend pool IP's I can do the NAT right ?

Cyber Elite
Cyber Elite


You can. But can get very complicated.



Thanks otakarklier. I have tested the same it works successfully.

  • 1 accepted solution
  • 7 replies
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!