- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-08-2023 01:13 PM - edited 08-12-2023 12:22 PM
Hello Live Community, how's it going, I hope it's going well.
One question, I have the following doubt.
Soon I have to generate a Site to Site VPN connection, between a Palo Alto On-prem and another Palo Alto that is in AWS.
I understand that the Palo Alto on the AWS side, the Palo Alto does not have a direct public IP on the interface, therefore there is a mapping that AWS does between the Public IP and the private IP of the public network that they call. I understand that this is like a 1:1 DNAT/NAT that aws then does with the resource to the Palo Alto untrust on AWS.
Now my doubt, that means that the configuration at the time of making the tunnel between the PA of On-Prem that has a public IP directly in its WAN/Untrus Interface, with the Palo Alto in AWS, must be configured as if they did it with a computer that is behind a nat ? that is to say to use Nat-traversal ?
Firewall01 Onprime ----IP Public IP Untrust Interface -----------I---0nternet-------------IPSEC VPN-------------AWS Public IP---------- Mapping Public IP to Private IP of the PA on AWS------ IP/Interface Untrust PA On AWS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC
Traversal is supposed to apply when you are behind a NAT but... when we understand that the 500-UDP arrives to that edge device, what does the NAT do, therefore NAT traversal will forward the UDP 4500 to the internal device, but in this case you have an example where no NAT-Traversal was used at either end, with one end at AWS and it operates without problems, without using NAT-Traversal. But if as you say using Peer Identification and Local Identification. Now I have great confusion, because I see that in this Link, in the step by step, they do not enable NAT-T and it works perfectly, that is why now I have a great doubt regarding NAT 1:1 or the Mapping that AWS does. Because here I see that they do not enable it and it works perfectly.
This Link AWS Palo Alto Site to Site VPN:
So it should be configured similar to this, right? As against a NAT Traversal ?
Has anyone had experience configuring VPN IPSEC, against Palo Alto in AWS ?
Thanks in advance for your time, good vibes and cooperation as always.
I remain attentive, best regards
08-09-2023 06:43 PM - edited 08-12-2023 12:22 PM
Hello, sorry if I refer and tag you, I hope I'm not bothering you. @TomYoung @reaper @Raido_Rattameister @BPry @PavelK @aleksandar.astardzhiev
Please see my post and give me your comments, advice, clarifications, details, etc. regarding what I say about AWS Palo Alto FW.
Thank you very much for your comments, for your time, for your collaboration.
I remain attentive
Best regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!