I would like to followup on this back of this request. I too have a requirement for a double NAT entry where by I wish to change the source and destination address of a particular traffic pattern.Here is the scenario. I want to advertise a service that is routable using a private side/trusted ip address obtained from within subnet range of the private side interface of the firewall. For example; The trusted side interface and zone of the firewall is; L3-PRIV = 172.16.227.254/22 I then create a loopback address which is also assigned to the same zone using a subnet range as follows L3-PRIV = 172.16.245.33/27 I have a network service that is reachable through a DMZ (untrusted interface) and then via a next hop router. The remote network is routed via the virtual routing table used by both layer 3 interfaces. I want clients that hit the destination address equal to loopback address of 172.16.245.33/27 to be translated using this soruce and also have the destiantion translated to a new destiantion address routable via my DMZ. Summary Origianl Packet SRC_ZONE=L3-PRIV - SRC_IP = 192.168.230.10/24 - NAT'd SRC_ZONE=L3-PRIV SRC_IP=172.16.245.33/27 Original Packet DST_ZONE=L3_PRIV - DST_IP = 172.16.245.33/27 - NAT'd DST_ZONE=L3-DMZ DST_IP=10.142.210.5/24 Does this make sense and is this possible? The use case is that the destination network will only be aware of the loopback address subnet from a routing perspective, plus the clients on my internal network can reach the loopback address, but not the true destination hence the need for a destination NAT. Traffic will always be initiated from the trusted side.
... View more
Thanks for taking the time out to reply. Its been a while. 1. First thing to say is that routing at the remote end is not a problem as the remote configuration is a working one. The only element of that configuration that has chagned is the PEER address of the IKE GATEWAY. 2. With respect to NAT I can seen in the traffic logs that NAT is taking place and validated routing via the test routing fib-lookup virtual-router vr-default ip command so this apprears to work. 3. But the gut feel is that it has something to do with NAT. Are there any debugging commands that shows you the NAT session table. In the cisco world used show xlate , . 4. I ended up using Proxy entries which contains the NAT SRC ADDR/29 - DST ADDR/32 and I am using the interface ip as part of the SRC NAT policy. This subnet support the end to end tunnel a bit like an end to end (point to point) ip serial link over a WAN albeit with a few more addresses in the range. 5. I also check for MTU path discovery which the Palo seems to identify as 1460. Any ideas on how I can effectively troubleshoot this one? I may have to get hold of a Netscreen LAB it. If you need details am happy to wiz over a viso digram of what I am try to do with screen shots etc. Its gota be somthing simple. PS The client can see return traffic going back into the tunnel, but I dont see any deny / drops / discards.
... View more
I am trying to configure a ROUTE BASED VPN in TUNNEL MODE. I have a unit with 2 interfaces configured for Layer 3 operation with the following zones. L3-PRIV (ZONE) = My private internal network. L3-PUBL (ZONE) = My public outside network. I created a numbered ip TUNNEL.10 interface which is also defined in its own zone called L3-VPN10. I have 1 Virtual Router which is shared amongst all interfaces. I have configured all the appropiate routing for inside and outside networks and additional routes to egreess the traffic that reuiqres encryption out via TUNNEL.10 I have successfully configured the IKE and CRYPTO and the IPSEC TUNNEL and IKE are both UP UP. I have configured a NAT policy to change the source address and replace it with the source TUNNEL.10 ip address where the destination is = to the network that requires encryption. In addition to the above I have configured the appropiate Source Zones - Destimation Zones policies which for troubleshooting purposes is set to ANY ANY. From my log I can see traffic egressing the L3-VPN10 zone, but TCP connections are showing incomplete. The remote end can see my traffic, but I dont see any return traffic comming back and there are no Deny matches on the logs. The PEERS have come from a working tunnel between 2 netscreens, so I got the remote end to just change their PEER to match my PALO UNIT so I know that this works, but not on the PALO. Help ....is there any known issue with route VPNs. Do I need to set the proxy ID? to be the source and destion subnet as this a bit like a point to point conenction. Currenty I have this set to 0.0.0.0/0 0.0.0.0/0 as I am using a static route to enter the tunnel. The tunnel ip is basically a /29 subnet which is in essence is the network that is being encrypted. The remote end is also set to a route based VPN. Help!!!!!!!!
... View more