This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About SteveBoyd
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About SteveBoyd
08-02-2022
2Posts
0Likes
0Solutions
Aug 02, 2022Last Visited
User
Activity
User
Profile
Latest posts by SteveBoyd
| Subject | Views | Posted |
|---|---|---|
| 1683 | 08-02-2022 03:26 PM | |
| 1828 | 07-30-2022 07:47 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-27-2022 12:33 PM |
| Date Last Visited | 08-02-2022 06:47 PM |
| Posts | 2 |
08-02-2022
03:26 PM
Thank you both for your help! The reason there was two rules is I figured I'd create one for each direction. In practice, the one worked and the other didn't, and then thanks to your helpful nudge I realized that I hadn't enabled bidirectional on the one that was working. Another element was getting the security policies set as well; apparently (correct me if I'm wrong) while the NAT policies get processed before the security policies, if the NAT is working but security rules don't allow the traffic, it still won't increment the NAT or show up in the traffic logs.
I've tweaked it, disabled the nonworking NAT policy, and updated the security policies needed additional to the existing in and out policies for the IPsec tunnel. Attached are the working NAT policy and security policies for this, for the benefit of others with a similar question.
... View more
07-30-2022
07:47 AM
I've got a PA-850 with fairly typical many-to-one NAT outbound to the internet, and some IPsec tunnels. Due to one partner that I'm connecting to with IPsec using 10.0.0.0/8 on their network (don't ask), I need to NAT my 10.28.1.0/24 subnet to 172.28.1.0/24 going to/from their end. I've got a working tunnel for two other subnets (a 172.19.x.x and 192.168.x.x), but I cannot get the NAT working correctly for this third subnet. I've tried several different combinations, including narrowing the NAT down to a single IP 10.28.1.28 <-> 172.28.1.28 but I don't get any hits on the NAT policy and the Traffic logs do not show any 10.28.1.28-sourced traffic pointed at the partner destination.
10.28.1.0/24 is on Trust-L3 (interface Eth1/5), and the IPsec zone is Denver-IPsec (tunnel.5).
Attached is a screenshot of two different rules that are still not working.
Can someone help with either a troubleshooting pointer or what element I'm missing? Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-02-2022
06:47 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks