NAT and Site-to-Site VPN

When you create a policy-based site-to-site VPN using the management center VPN wizard (Device > Site To Site), you can select the NAT Exempt option to create the rules automatically. You can view the NAT exemptions for a device in the NAT policy page (Device > NAT > NAT Exemptions).If you do not want to configure NAT Exempt in the VPN wizard, you can use the following procedure for NAT exemption.

The following figure shows a site-to-site tunnel connecting the Boulder and San Jose offices. For traffic that you want to go to the Internet (for example from 10.1.1.6 in Boulder to www.example.com), you need a public IP address provided by NAT to access the Internet. The below example uses interface PAT rules. However, for traffic that you want to go over the VPN tunnel (for example from 10.1.1.6 in Boulder to 10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address.

Interface PAT and Identity NAT for Site-to-Site VPN

The following example explains the configuration for Firewall1 (Boulder).

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the devices in the VPN. In this example, we will assume the interface objects are security zones named inside-boulder and outside-boulder for the Firewall1 (Boulder) interfaces. To configure interface objects, select Objects > Object Management, then select Interfaces.

Procedure

Step 1

Create the objects to define the various networks.

  1. Choose Objects > Object Management.

  2. Select Network from the table of contents and click Add Network > Add Object.

  3. Identify the Boulder inside network.

    Name the network object (for example, boulder-network) and enter the network address, 10.1.1.0/24.

  4. Click Save.

  5. Click Add Network > Add Object and define the inside San Jose network.

    Name the network object (for example, sanjose-network) and enter the network address 10.2.2.0/24.

  6. Click Save.

Step 2

Configure manual identity NAT for the Boulder network when going over the VPN to San Jose on Firewall1 (Boulder).

  1. Select Devices > NAT and create or edit the threat defense NAT policy.

  2. Click Add Rule.

  3. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Static.

  4. On Interface Objects, configure the following:

    • Source Interface Objects = inside-boulder.

    • Destination Interface Objects = outside-boulder.

  5. On Translation, configure the following:

    • Original Source = boulder-network object.

    • Translated Source > Address = boulder-network object.

    • Original Destination > Address = sanjose-network object.

    • Translated Destination = sanjose-network object.

      Note

      Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the original and translated destination addresses. Leave all of the port fields blank. This rule configures identity NAT for both source and destination.

  6. On Advanced, select Do not proxy ARP on Destination interface.

  7. Click Save.

Step 3

Configure manual dynamic interface PAT when going to the Internet for the inside Boulder network on Firewall1 (Boulder).

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Dynamic.

    • Insert Rule = any position after the first rule. Because this rule will apply to any destination address, the rule that uses sanjose-network as the destination must come before this rule, or the sanjose-network rule will never be matched. The default is to place new manual NAT rules at the end of the "NAT Rules Before Auto NAT" section.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = inside-boulder.

    • Destination Interface Objects = outside-boulder.

  4. On Translation, configure the following:

    • Original Source = boulder-network object.

    • Translated Source = Destination Interface IP. This option configures interface PAT using the interface contained in the destination interface object.

    • Original Destination > Address = any (leave blank).

    • Translated Destination = any (leave blank).

  5. Click Save.

Step 4

If you are also managing Firewall2 (San Jose), you can configure similar rules for that device.

  • The manual identity NAT rule would be for sanjose-network when the destination is boulder-network. Create new interface objects for the Firewall2 inside and outside networks.

  • The manual dynamic interface PAT rule would be for sanjose-network when the destination is "any."