IPSec Over Palo Alto FW Static NAT

Posted by Blog - uTIcARdI on December 19, 2018

It took me about 2 hours on the following scenario and the root cause was located: lacking a static route on Palo Alto, so I decided to summarize every step here for further reference. Here is the topology on EVE-NG:

Topology
Topology
  • The left part is the office, and the right part is Internet
  • 10.0.56.5 of R6 was NATed to IP: 10.0.17.3 by Palo Alto which establishes IPSec tunnel with R8: 10.0.78.8
  • Traffic from 5.5.5.0/24 to 8.8.8.0/24 will be forward over the #1 IPSec
  • All device in ‘LAN’ could access ‘Internet’ via Port Translation
1. Initial Palo Alto

Console access Palo Alto with username/password: admin/admin, and configure MGMT IP 172.16.185.132 (I have bridged the MGMT interface of Palo Alto to my laptop). Here are the commands for the initialization:

configure
edit deviceconfig system
set ip-address 172.16.185.132 netmask 255.255.255.0
commit

Note: Executing ‘commit’ on CLI or Web GUI after the modification.

2. Navigate https://172.16.185.132 (MGMT IP of Palo Alto Firewall) in the browser

login with the username/password: admin/admin (default username/password)

Dashboard
Dashboard
3. Configure Interface Profiles

Policy: Permit ping traffic from both LAN and Internet to Palo Alto interfaces for connectives testing

Interface management profile
Interface management profile
4. Configure interface: ethernet1/1
Interface configuration-Zone-1
Interface configuration-Zone-1
Interface configuration-Zone-2
Interface configuration-Zone-2
Interface configuration-IP Address-1
Interface configuration-IP Address-1
Interface configuration-IP Address-2
Interface configuration-IP Address-2
Interface configuration-Management Profile
Interface configuration-Management Profile
5. Configure interface: ethernet1/2

Almost same steps to ethernet1/1 but with different IP and Zone – IP: 10.0.17.1/24, Zone: Internet.

6. Configured IPs, routing protocol on R5, R6, R7, R8 then run connectivity testing.
  • R5: Ethernet0/0 – 10.0.56.5/24, Ethernet0/1 – 10.0.15.5/24, Loopback0: 5.5.5.5/24, Default route with gateway: 10.0.15.1
  • R6: Ethernet0/0 – 10.0.56.6/24, Default route with gateway: 10.0.56.5
  • R7: Ethernet0/0 – 10.0.78.7/24, Ethernet0/2 – 10.0.17.7/24
  • R8: Ethernet0/0 – 10.0.78.8/24, Loopback0 – 8.8.8. /24, Static route to 10.0.17.0/24 with next hop: 10.0.78.7
7. Configure routing on Palo Alto

Default route with next hop: 10.0.17.7

Static route to 10.0.56.0/24 with next hop 10.0.15.5

Route
Route
8. Configure PAT for Requirement #4: traffic from LAN to Internet
PAT-1
PAT-1
PAT-2
PAT-2
PAT-3
PAT-3
9. Service Group

Creating Service and Security Group before the Security policy for IPSec traffic: UDP 500 and UDP 4500

Service
Service
Service group
Service group
10. Configure NAT for requirement #3 – IPSec
NAT-1
NAT-1

Note: The destination Address is the IP of Peer IP, the IP is:10.0.78.8 /32 in my case.

NAT-2
NAT-2
  • Optional: Set Service to ‘Any’ for all applications

    Optional: Service Any
    Optional: Service Any

Palo Alto-NAT/PAT-Overall view of Step 9 and Step 10

NAT/PAT-Overall view of Step 9 and Step 10
NAT/PAT-Overall view of Step 9 and Step 10
11. Policy for LAN/Internet

Since LAN and Internet are two different zones, security policies are required for the traffic. From LAN to Internet:

Security Policy-1
Security Policy-1
Security Policy-2
Security Policy-2
Security Policy-3
Security Policy-3
Security Policy-4
Security Policy-4
12. Security policy for IPSec
Security Policy
Security Policy
13. Verify connectives on all routers

Note: Security policy for Ping traffic in two different Zones, Ping will fail if only the application: ICMP was permitted, the service: ‘Ping’ is also required.

14. Configure IPSec on R6 and R8.

Check all routers configuration from here.

15. On R5, execute ‘ping 8.8.8.8 source 5.5.5.5’
LAN-R5#ping 8.8.8.8 source 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
LAN-R6#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.78.8 10.0.56.6 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Internet-R8#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.78.8 10.0.17.3 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Others
  1. Permit the ICMP traffic to NATed IP for monitoring purpose [Udate @ 2019-02-14]


IPSec Over Palo Alto FW Static NAT


donation

Scan the QR code using WeChat

comments powered by Disqus