I have a new tunnel between a paloalto and a azure vpn gateway but the paloalto is natted behind a router so its outside interface is not a public WAN ip. Is this supported or is the azure vpn gateway going to have issues because the vpn will be coming from a private ip address?
How will it connect out to it?
Just floating an option for you, we have a handful of remote VPNs behind other routers we do not control (mostly home offices) and terminate them to an NVA in Azure.
We found an NVA pretty inexpensive for our situation. Way cheaper than multiple Azure VPN services. Not sure if cheap enough for just one connection.
Yes it will work
Last week I built an IPsec tunnel to a Palo alto firewall that was behind a load balancer.
At the moment there cannot be a IPSec VPN connection established when you are trying to connect to Azure VPN gateway or on-premises involve NAT. Therefore you cannot have an on premise VPN device behind a NAT.
However, the IPsec tunnel should work fine if on-prem device initiates connection with NAT device public ip as source and which is configured on Azure Local network gateway.
Reference article:
NAT Traversal I think. The palo alto has the Azure VPN gateway external address set to its peer IP and the Azure VPN Gateway has the public IP Address of the firewall as its peer IP. But the tunnel will be coming from an RFC1918 address (192.168.1.x) so Im wondering if the azure vpn will fail because it wont be coming from where it expects.
Got any config examples of what to do on the azure side or YouTube links of people doing it to?
You can have one behind a nat device because I configured it and it’s working
Why would it expect it to come from 192.168.1.x? You are the one typing IPs in boxes.
Will the router be doing DNAT to the backend device for all IPsec packets?
this will work until on-premises device initiates connection, during rekey process if Azure initiates connection this could fail, so in conclusion, on-premises should be always initiator.
our Azure ops people told us that Azure VPN gateways cannot connect to non public IP peers, I would of thought this would be a common type of vpn connection but if thats the case im happy to tell my customer that they need a seperate internet connection. Its my preferred connection for the customer to give my firewall a public IP anyway. Cuts down on the troubleshooting.
I remain a wee bit confused why you don’t just configure the VPN to the router.
I believe it will do NAT-T, though. So, it should work fine. It’s awkward and weird though.
It’s the customers router they are just providing us internet.
There’s almost no way I would choose a VPN-based solution for an on-prem deliverable like this to external customers where you cannot predict or control their network.
I mean, I guess it depends what it is. Is this an application you’re providing? Or like, infrastructure or something for phones or something?
In the first, I almost always use something akin to Hybrid connections. Usually my own rolled from Service Bus.
You’re going to need to set up a lab and test the VPN I think.
I’ve had to maintain crap like this to stuff like State governments. It’s never a good idea, I find. It always breaks. They blame you.