BOVPN NAT using single host IP
We are connecting a VPN to a business partner using 1:1 NAT. T45 on our side, Palo Alto on theirs. We need to reach two hosts on two different networks on their end. They have provided a single IP address (10.75.xxx) for us to use for NAT.
I have set up the tunnel route as follows:
Local IP: network IPv4, our trusted network (192.168.1.x)
Remote IP: host IPv4, address of one remote host (10.241.xxx)
NAT: Host IPv4, provided IP (10.75.xxx)
The goal is to have all traffic coming from us look like it's coming from the single 10.75 address, but when I try to save the tunnel I get "Local and 1:1 NAT addresses must be the same type and ranges."
Am I doing something wrong, or does Palo Alto support this setup and not Watchguard?
0
Sign In to comment.
Comments
Hi @SCI
1 to 1 NAT is to translate a range of IPs to a different range of IPs.
You want to use Dynamic NAT (DNAT) to translate all of the IPs into one.
The dynamic NAT checkbox in the WatchGuard Firewall's BOVPN config is what you want the network to appear as to the other side (the 10.75.x.x one)
-James Carson
WatchGuard Customer Support
Thank you that fixed it. I had looked at Dynamic when this project was first started, but couldn't find any similar wording on the Palo Alto side, so we tried the 1:1.