Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About lonzonline
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About lonzonline
11-20-2020
1Post
0Likes
0Solutions
Nov 20, 2020Last Visited
User
Activity
User
Profile
Latest posts by lonzonline
| Subject | Views | Posted |
|---|---|---|
| 358 | 11-16-2020 04:08 AM |
User Badges
Community Statistics
| Member Since | 11-16-2020 02:30 AM |
| Date Last Visited | 11-20-2020 02:24 AM |
| Posts | 1 |
11-16-2020
04:08 AM
Hi there, i want to finish an easy setup which needs a simple DNAT and forwarding into a VPN tunnel on my PA5020. I've created a working VPN tunnel which is the destination for my traffic. And this works fine if i'm using the tunnel ip to reach targets inside the vpn destination network (192.168.5.0/24). To use this setup it is necessary to hide the destination network (192.168.5.0/24) behind free public NAT (1.1.1.0/24) adresses which we're using inside intranet. So i have a public space /24 to mask the private adresse space /24. There are three zones configured: untrust ("internet" via ae2.400), VPN and trust ("intranet" via ae1.305). To prevent double use of private adresses i've created a second VR for the customer destination network and added the tunnel interface from zone VPN. And finally i have created a NAT policy which should map 1:1 the outgoing packets directioned to the public adresses (1.1.1.0/24) and change the destination to the private network (192.168.5.0/24), so these packets should routed inside vpn. But it's not. I've tried a lot of different configurations with routing and NAT but finally i have no clue whats going wrong. The security policies don't block any traffic and the NAT policy counter counts my connection tries. Everything looks fine. But no way to get a working connection from intranet to the vpn. How to set the routes properly to get my packets NATted and routed into the correct VR and finally inside the VPN? Configuration ahead. I've changed the config a lot of times, so i'm sure everything looks now completely senseless 😉 Thanks in advance. show routing route VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 3.3.3.1 10 A S ae2.400 10.0.0.0/8 172.30.224.129 10 A S ae1.305 1.1.1.0/24 0.0.0.0 10 A S ae1.305 172.16.0.0/12 172.30.224.129 10 A S ae1.305 172.30.224.128/27 172.30.224.133 0 A C ae1.305 172.30.224.133/32 0.0.0.0 0 A H 3.3.3.0/24 3.3.3.5 0 A C ae2.400 3.3.3.5/32 0.0.0.0 0 A H 192.168.0.0/16 172.30.224.129 10 A S ae1.305 total routes shown: 12 VIRTUAL ROUTER: CUSTOMER (id 2) ========== destination nexthop metric flags age interface next-AS 3.3.3.99/32 0.0.0.0 0 A H 192.168.5.0/24 0.0.0.0 10 A S tunnel.99 show running nat-policy "NAT-S2S-CUSTOMER; index: 2" { nat-type ipv4; from trust; source any; to trust; to-interface; destination 1.1.1.0/24; service 0:any/any/any; translate-to "dst: 192.168.5.0-192.168.5.255"; terminal no;
... View more
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
