cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Krishna
Ivory

The NAT issue on CP firewall deployed in the Azure

We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.

The FW1 is a cluster and has two gateways in it. IP of gateway 1 is 10.10.10.4, IP of gateway 2 is 10.10.10.5 and IP of Cluster is 10.10.10.6. Gateway 1 is active

The tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.

We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.

The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2

In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from 10.10.10.4 to 10.10.10.6 the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1

[vs_0][fw_0] eth0:o[180]: X.X.X.X -> 10.10.10.6 (UDP) len=180 id=20396
UDP: 500 -> 500
[vs_0][fw_0] eth0:o[180]: 10.10.10.4 -> X.X.X.X (UDP) len=180 id=10087
UDP: 500 -> 500
[vs_0][fw_0] eth0:O[180]: 10.10.10.6 -> X.X.X.X (UDP) len=180 id=10087
UDP: 12410 -> 500

 

 

Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.

0 Kudos
3 Replies
Admin
Admin

Re: The NAT issue on CP firewall deployed in the Azure

Curious what evidence you have to suggest this change of port is causing the issue?
What do logs or VPN debugs say?
0 Kudos
Krishna
Ivory

Re: The NAT issue on CP firewall deployed in the Azure

The Phase 1 packets for the tunnel is exchanged between ports 500 or 4500 on both the ends, as the port is getting changed the other than these two , other end firewall will ignore/ drop the phase 1 traffic.
0 Kudos
Krishna
Ivory

Re: The NAT issue on CP firewall deployed in the Azure

The issue got resolved after no NAT rule is created for the cluster IP. Below is the no NAT rule added.

Original Source: Cluster IP.
Original Destination : Any
Original port: IKE

Translated Source: Cluster IP
Translated destination : Original
Translated Port : Original
0 Kudos