This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About technicalsupport

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
technicalsupport
‎06-11-2020
since ‎04-28-2010
L1 Bithead
User Activity
User Profile
Latest posts by technicalsupport
View All
User Badges
Community Statistics
Member Since ‎04-28-2010 12:32 AM
Date Last Visited ‎06-11-2020 10:28 AM
Posts 4

Re: Combined source & destination NAT in one rule

by in General Topics
‎08-08-2011 07:06 AM
‎08-08-2011 07:06 AM
I would like to followup on this back of this request. I too have a requirement for a double NAT entry where by I wish to change the source and destination address of a particular traffic pattern.Here is the scenario. I want to advertise a service that is routable using a private side/trusted ip address obtained from within subnet range of the private side interface of the firewall. For example; The trusted side interface and zone of the firewall is; L3-PRIV = 172.16.227.254/22 I then create a loopback address which is also assigned to the same zone using a subnet range as follows L3-PRIV = 172.16.245.33/27 I have a network service that is reachable through a DMZ (untrusted interface) and then via a next hop router. The remote network is routed via the virtual routing table used by both layer 3 interfaces. I want clients that hit the destination address equal to loopback address of 172.16.245.33/27 to be translated using this soruce and also have the destiantion translated to a new destiantion address routable via my DMZ. Summary Origianl Packet SRC_ZONE=L3-PRIV - SRC_IP = 192.168.230.10/24 - NAT'd SRC_ZONE=L3-PRIV SRC_IP=172.16.245.33/27 Original Packet DST_ZONE=L3_PRIV - DST_IP = 172.16.245.33/27   - NAT'd DST_ZONE=L3-DMZ DST_IP=10.142.210.5/24 Does this make sense and is this possible? The use case is that the destination network will only be aware of the loopback address subnet from a routing perspective, plus the clients on my internal network can reach the loopback address, but not the true destination hence the need for a destination NAT. Traffic will always be initiated from the trusted side. ... View more

Re: ROUTE BASED VPN QRY WITH SRC NAT

by in General Topics
‎07-08-2010 11:09 AM
‎07-08-2010 11:09 AM
session     203314         c2s flow:                 source:   SRC[L3-PRIV]                 dst:      DST                 sport:    19551         dport:    80                 proto:    6             dir:      c2s                 state:    INIT          type:     FLOW                 ipver:    4                 src-user: +++++                 dst-user: unknown         s2c flow:                 source:  DST[L3-VPN10]                 dst:      SRC NAT                 sport:    80            dport:    64516                 proto:    6             dir:      s2c                 state:    INIT          type:     FLOW                 ipver:    4                 src-user: unknown                 dst-user: ++++++                 qos node: ethernet1/1, qos member N/A Qid 0         start time            : Thu Jul  8 19:03:36 2010         timeout               : 5 sec         total byte count      : 124         layer7 packet count   : 2         vsys                  : vsys1         application           : incomplete         rule                  : APP Allow General The ports used in the session dont seem to match src port 19551 sould equal dst port 64516 ???? ... View more

Re: ROUTE BASED VPN QRY WITH SRC NAT

by in General Topics
‎07-08-2010 10:23 AM
‎07-08-2010 10:23 AM
Thanks for taking the time out to reply. Its been a while. 1. First thing to say is that routing at the remote end is not a problem as the remote configuration is a working one. The only element of that configuration that has chagned is the PEER address of the IKE GATEWAY. 2. With respect to NAT I can seen in the traffic logs that NAT is taking place and validated routing via the test routing fib-lookup virtual-router vr-default ip command so this apprears to work. 3. But the gut feel is that it has something to do with NAT. Are there any debugging commands that shows you the NAT session table. In the cisco world used show xlate , . 4. I ended up using Proxy entries which contains the NAT SRC ADDR/29 - DST ADDR/32 and I am using the interface ip as part of the SRC NAT policy. This subnet support the end to end tunnel a bit like an end to end (point to point) ip serial link over a WAN albeit with a few more addresses in the range. 5. I also check for MTU path discovery which the Palo seems to identify as 1460. Any ideas on how I can effectively troubleshoot this one? I may have to get hold of a Netscreen LAB it. If you need details am happy to wiz over a viso digram of what I am try to do with screen shots etc. Its gota be somthing simple. PS The client can see return traffic going back into the tunnel, but I dont see any deny / drops / discards. ... View more

ROUTE BASED VPN QRY WITH SRC NAT

by in General Topics
‎06-11-2010 06:34 AM
‎06-11-2010 06:34 AM
I am trying to configure a ROUTE BASED VPN in TUNNEL MODE. I have a unit with 2 interfaces configured for Layer 3 operation with the following zones. L3-PRIV (ZONE) = My private internal network. L3-PUBL (ZONE) = My public outside network. I created a numbered ip TUNNEL.10 interface which is also defined in its own zone called L3-VPN10. I have 1 Virtual Router which is shared amongst all interfaces. I have configured all the appropiate routing for inside and outside networks and additional routes to egreess the traffic that reuiqres encryption out via TUNNEL.10 I have successfully configured the IKE and CRYPTO and the IPSEC TUNNEL and IKE are both UP UP. I have configured a NAT policy to change the source address and replace it with the source TUNNEL.10 ip address where the destination is = to the network that requires encryption. In addition to the above I have configured the appropiate Source Zones - Destimation Zones policies which for troubleshooting purposes is set to ANY ANY. From my log I can see traffic egressing the L3-VPN10 zone, but TCP connections are showing incomplete. The remote end can see my traffic, but I dont see any return traffic comming back and there are no Deny matches on the logs. The PEERS have come from a working tunnel between 2 netscreens, so I got the remote end to just change their PEER to match my PALO UNIT so I know that this works, but not on the PALO. Help ....is there any known issue with route VPNs. Do I need to set the proxy ID? to be the source and destion subnet as this a bit like a point to point conenction. Currenty I have this set to 0.0.0.0/0 0.0.0.0/0 as I am using a static route to enter the tunnel. The tunnel ip is basically a /29 subnet which is in essence is the network that is being encrypted. The remote end is also set to a route based VPN. Help!!!!!!!! ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-11-2020 10:28 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks