Hi there, i want to finish an easy setup which needs a simple DNAT and forwarding into a VPN tunnel on my PA5020. I've created a working VPN tunnel which is the destination for my traffic. And this works fine if i'm using the tunnel ip to reach targets inside the vpn destination network (192.168.5.0/24). To use this setup it is necessary to hide the destination network (192.168.5.0/24) behind free public NAT (1.1.1.0/24) adresses which we're using inside intranet. So i have a public space /24 to mask the private adresse space /24. There are three zones configured: untrust ("internet" via ae2.400), VPN and trust ("intranet" via ae1.305). To prevent double use of private adresses i've created a second VR for the customer destination network and added the tunnel interface from zone VPN. And finally i have created a NAT policy which should map 1:1 the outgoing packets directioned to the public adresses (1.1.1.0/24) and change the destination to the private network (192.168.5.0/24), so these packets should routed inside vpn. But it's not. I've tried a lot of different configurations with routing and NAT but finally i have no clue whats going wrong. The security policies don't block any traffic and the NAT policy counter counts my connection tries. Everything looks fine. But no way to get a working connection from intranet to the vpn. How to set the routes properly to get my packets NATted and routed into the correct VR and finally inside the VPN? Configuration ahead. I've changed the config a lot of times, so i'm sure everything looks now completely senseless 😉 Thanks in advance. show routing route VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 3.3.3.1 10 A S ae2.400 10.0.0.0/8 172.30.224.129 10 A S ae1.305 1.1.1.0/24 0.0.0.0 10 A S ae1.305 172.16.0.0/12 172.30.224.129 10 A S ae1.305 172.30.224.128/27 172.30.224.133 0 A C ae1.305 172.30.224.133/32 0.0.0.0 0 A H 3.3.3.0/24 3.3.3.5 0 A C ae2.400 3.3.3.5/32 0.0.0.0 0 A H 192.168.0.0/16 172.30.224.129 10 A S ae1.305 total routes shown: 12 VIRTUAL ROUTER: CUSTOMER (id 2) ========== destination nexthop metric flags age interface next-AS 3.3.3.99/32 0.0.0.0 0 A H 192.168.5.0/24 0.0.0.0 10 A S tunnel.99 show running nat-policy "NAT-S2S-CUSTOMER; index: 2" { nat-type ipv4; from trust; source any; to trust; to-interface; destination 1.1.1.0/24; service 0:any/any/any; translate-to "dst: 192.168.5.0-192.168.5.255"; terminal no;
... View more