Why ESP packets are sent out with the original source IP instead of source NAT IP?

Why ESP packets are sent out with the original source IP instead of source NAT IP?

7323
Created On 10/07/22 23:49 PM - Last Modified 10/17/24 09:52 AM


Question


Why ESP packets are transmitted with the original source IP instead of source NAT IP?

Environment


This behaviour can be seen where IPSEC tunnel is terminated on PaloAlto firewall and source NAT is also being done for VPN negotiation and expected behaviour is performing source NAT on both ISAKP and ESP.

Answer


NAT would not be applied on the ESP as NAT is session based and is not applicable for encapsulation.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wllyCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language