How to configure an IPSec tunnel when Palo Alto Firewall is behind a NAT device

How to configure an IPSec tunnel when Palo Alto Firewall is behind a NAT device

14681
Created On 06/20/22 09:54 AM - Last Modified 07/29/24 22:20 PM


Objective


  • Create an IPSec tunnel when Firewall is behind a NAT device.

Environment


  • Palo Alto Networks Firewall
  • IPSec VPN
  • Firewall has a private IP address on its external interface.
  • NAT is performed by another Router in front of PA Firewall.
PA-Firewall -------- NAT Router --------- Internet ----------- VPN Peer
PA-Firewall ============= IPSec VPN ========== VPN Peer

Procedure


  1. Create IPSec VPN tunnel as described  in "How to configure IPSec VPN "
  2. When configuring IKE Gateway (Step 3), make the following changes
    1. In the IKE Gateway configuration, use the "Local Identification" field and set it to the Natted public IP address.
    2. Enable NAT traversal in the Advanced options tab of the Ike Gateway.

Additional Information


IPSec resource list
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkjXCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language