Configure Bi-Directional NAT Configuration on PA_NAT Device from POLICIES> NAT> Click Add
Shown below NAT is configured for traffic from Untrust to Untrust as PA_NAT device is receiving UDP traffic from PA2 on its Untrust interface and it is being routed back to PA1 after applying NAT Policy.
Shown below is the bi-directional NAT rule for both UDP Ports 500 and 4500:
> show running nat-policy
NAT_T_IPSEC {
from Untrust;
source 172.16.9.160;
to Untrust;
to-interface ;
destination 172.16.9.163;
service [ udp/any/500 udp/any/4500 ];
translate-to "src: 172.16.9.171 (static-ip) (pool idx: 2)";
terminal no;
}
NAT_T_IPSEC {
from any;
source any;
to Untrust;
to-interface ;
destination 172.16.9.171;
service [ udp/any/500 udp/any/4500 ];
translate-to "dst: 172.16.9.160";
terminal no;
}
Initiate IPSec VPN tunnel from PA2 (172.16.9.160) from CLI
> test vpn ike-sa
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.
> test vpn ipsec-sa
Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
On PA_NAT Device, see the following sessions:
> show session all filter application ike
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14211 ike ACTIVE FLOW NS 172.16.9.160[500]/Untrust/17 (172.16.9.171[500])
vsys1 172.16.9.163[500]/Untrust (172.16.9.163[500])
> show session all filter destination-port 4500
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14210 ipsec-esp-udp ACTIVE FLOW NS 172.16.9.160[4500]/Untrust/17 (172.16.9.171[4500])
vsys1 172.16.9.163[4500]/Untrust (172.16.9.163[4500])
Verify Tunnels are UP on both PA1 and PA2 on GUI from NETWORK> IPSec Tunnels