Palo Alto Policy-based Site to Site VPN with NAT [2024]

Подписаться 3,3 тыс.

Просмотров 1,8 тыс.

50% 1

In this video we'll configure together a Policy-Based Site to Site VPN with Network Address Translation (NAT) on the Palo Alto Networks firewalls.
As a disclaimer, I personally prefer configuring route-based instead of policy-based VPN, if I have the choice. Sometimes, though, it's just technically not possible, there are times that your partner's device on the other side of the tunnel doesn't support route-based VPN.
🌐 Useful Links
Route-based VPN and detailed description of site2site VPN: • Palo Alto VPN - Site t...
Palo Alto Training (preparation for PCNSA): netsums.com/tr...
NETSums Resources: netsums.com/re...
👍 Like, Share, and Subscribe for More:
If you find this tutorial helpful, don't forget to give it a thumbs up, share it with your colleagues, and subscribe to our channel for more in-depth tutorials on network security and technology best practices.
🔗 Connect with Us:
If you have questions, suggestions, or any kind of feedback, please don't hesitate to comment below! We will reply as soon as possible.
#PaloAlto #NetworkSecurity #Tutorial #itsecurity #IdentityManagement #paloaltofirewall #paloaltonetworks #firewall

Опубликовано:

3 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 15

@bhaiyaaradhya9072 4 месяца назад

@NETSums Please upload a video regarding BGP over IPSec tunnel.

@netsums 4 месяца назад

It's a good idea, we haven't done a video with dynamic routing so far. Thank you for the suggestion!

@shakarchy 4 месяца назад

thank you so much; you are all the time bring new ways and knowledge for security and best practices together; I have a question, can we in site to the site allow one site to use the other site's internet, same as if we do a tunnel in GP and add the remote user to outside nat?

@netsums 4 месяца назад

Thank you for the comment! Yes, it's possible, you just need to configure the routing to send the internet traffic through the tunnel. If you're using policy based vpn, you need to configure the proxy ids accordingly. I hope I could help.

@kalibygomes3443 5 месяцев назад

Excelente vídeo, muito obrigado!!!

@netsums 5 месяцев назад

Um abraço!

@bhaiyaaradhya9072 4 месяца назад

@NETSums Please upload a video configuring Zone Protection.

@fantasycuber5056 4 месяца назад

Great video as always Could you also do a video on how to troubleshoot VPNs

@netsums 4 месяца назад

Hi. I will keep it in mind

@sidalpha2000 4 месяца назад

GP having ipv6 issues, can you do a video

@netsums 4 месяца назад

Do you mean GlobalProtect? Just asking, because this video was not about GlobalProtect. :-) I will keep that in mind.

@Leokev123 25 дней назад

Thanks for the video. If i dont want to NAT my local devices. So example, your ubuntu server is 10.0.1.17, i will just put 10.0.1.0/24 in the local ID under proxy ID right?

@netsums 23 дня назад

Yes, that's it. Just use the physical IP from the server in the proxy ID (or the network as you mentioned).

@hanamynetwork 4 месяца назад

Thank you for the video. I have an issue. I cannot ping the subnet on the other ipsec site. Currently I enabled the NAT Traversal because my internet connection is behind a rounter. My PA is using DHCP for the WAN connection. Do you have any solution where should I look to make it work?

@netsums 4 месяца назад

Is the VPN connection coming up? If yes, do you see the pings in the Traffic Tab (Monitor) on the remote firewall? Is one firewall configured as passive (because of DHCP)? If yes, this firewall won't be able to start a S2S connection. If you see the pings on the remote firewall, try capturing the packets there to see if the firewall receives an answer from the pings.