Hello PANguros, how's it going, I hope it's going well.
Thanks in advance for your time, good vibes and cooperation as always.
One question, I have the following doubt.
Soon I have to generate a Site to Site VPN connection, between a Palo Alto On-prem and another Palo Alto that is in AWS.
I understand that the Palo Alto on the AWS side, the Palo Alto does not have a direct public IP on the interface, therefore there is a mapping that AWS does between the Public IP and the private IP of the public network that they call. I understand that this is like a 1:1 DNAT/NAT that aws then does with the resource to the Palo Alto untrust on AWS.
Now my doubt, that means that the configuration at the time of making the tunnel between the PA of On-Prem that has a public IP directly in its WAN/Untrus Interface, with the Palo Alto in AWS, must be configured as if they did it with a computer that is behind a nat ? that is to say to use Nat-traversal ?
Firewall01 Onprime ----IP Public IP Untrust Interface -----------I---0nternet-------------IPSEC VPN-------------AWS Public IP---------- Mapping Public IP to Private IP of the PA on AWS------ IP/Interface Untrust PA On AWS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC
Traversal is supposed to apply when you are behind a NAT but... when we understand that the 500-UDP arrives to that edge device, what does the NAT do, therefore NAT traversal will forward the UDP 4500 to the internal device, but in this case you have an example where no NAT-Traversal was used at either end, with one end at AWS and it operates without problems, without using NAT-Traversal. But if as you say using Peer Identification and Local Identification. Now I have great confusion, because I see that in this Link, in the step by step, they do not enable NAT-T and it works perfectly, that is why now I have a great doubt regarding NAT 1:1 or the Mapping that AWS does. Because here I see that they do not enable it and it works perfectly.
This Link AWS Palo Alto Site to Site VPN:
So it should be configured similar to this, right? As against a NAT Traversal ? Many AWS experts tell me that as such this Mapping is 1:1, but it is not a 1:1 NAT, which is why NAT-T would not be necessary. If they see it in the link, they make the communication site to site, without problems and without using NAT-T in any of the 2 ends, that's why I'm confused.
Has anyone had experience configuring VPN IPSEC, against Palo Alto in AWS ?
Thanks for your time, good vibes and cooperation as always.
I remain attentive, best regards
I have similar experience with azure
The 1:1 mapping may be seen on the other side as nat, due to the IP mismatch in the ipsec header.
Using ikev2 will take away most troubles in this regard as ikev2 has built-in NAT traversal mechanisms. Do make sure to use the local end peer identifier as that is required due to the interface ip on the aws not matching the public ip