Palo Alto On AWS - Ipsec VPN IPSEC Site to Site connection - NAT-T - IP Mapping

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto On AWS - Ipsec VPN IPSEC Site to Site connection - NAT-T - IP Mapping

L4 Transporter

Hello Live Community, how's it going, I hope it's going well.


One question, I have the following doubt.


Soon I have to generate a Site to Site VPN connection, between a Palo Alto On-prem and another Palo Alto that is in AWS.

I understand that the Palo Alto on the AWS side, the Palo Alto does not have a direct public IP on the interface, therefore there is a mapping that AWS does between the Public IP and the private IP of the public network that they call. I understand that this is like a 1:1 DNAT/NAT that aws then does with the resource to the Palo Alto untrust on AWS.


Now my doubt, that means that the configuration at the time of making the tunnel between the PA of On-Prem that has a public IP directly in its WAN/Untrus Interface, with the Palo Alto in AWS, must be configured as if they did it with a computer that is behind a nat ? that is to say to use Nat-traversal ?

Firewall01 Onprime ----IP Public IP Untrust Interface -----------I---0nternet-------------IPSEC VPN-------------AWS Public IP---------- Mapping Public IP to Private IP of the PA on AWS------ IP/Interface Untrust PA On AWS  


Traversal is supposed to apply when you are behind a NAT but... when we understand that the 500-UDP arrives to that edge device, what does the NAT do, therefore NAT traversal will forward the UDP 4500 to the internal device, but in this case you have an example where no NAT-Traversal was used at either end, with one end at AWS and it operates without problems, without using NAT-Traversal. But if as you say using Peer Identification and Local Identification. Now I have great confusion, because I see that in this Link, in the step by step, they do not enable NAT-T and it works perfectly, that is why now I have a great doubt regarding NAT 1:1 or the Mapping that AWS does. Because here I see that they do not enable it and it works perfectly.


This Link AWS Palo Alto Site to Site VPN:


So it should be configured similar to this, right? As against a NAT Traversal ?


Has anyone had experience configuring VPN IPSEC, against Palo Alto in AWS ?


Thanks in advance for your time, good vibes and cooperation as always.


I remain attentive, best regards

High Sticker

L4 Transporter

Hello, sorry if I refer and tag you, I hope I'm not bothering you. @TomYoung @reaper @Raido_Rattameister @BPry @PavelK @aleksandar.astardzhiev


Please see my post and give me your comments, advice, clarifications, details, etc. regarding what I say about AWS Palo Alto FW.


Thank you very much for your comments, for your time, for your collaboration.


I remain attentive


Best regards.

High Sticker
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!