Wednesday, 29 April 2026

can't nat on VTI interface used in a VPN on FTD

 https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html



  • You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

Posted by at No comments:

Tuesday, 7 April 2026

palo alto azure VPN issues

Had some issues with palo alto <> azure VPN. The firewall was blocking the VPN traffic due to rule change. Azure gives up after a while and goes into idle mode. Needs to be restarted on azure end


 1 - If Azure VPN starts getting blocked by the firewall after some time Azure gives up and goes into an idle mode, has to be restarted on Azure end for VPN to try again.

2 - The ISAKMP (udp 500) session stays open on the palo even through p1 re-keys. Check session browser for your peer IP on UDP port 500, may need to clear it.

clear session all filter destination x.x.x.x

clear session all filter source x.x.x.x

3 - Related to above if the rule that allows the UDP is set to log at end you won't see the new traffic being initiated, set the rule to log at start.

4 - We saw the Azure IP is showing with a geolocation IP of "EU"  I'm guessing its related to their HA

show location ip x.x.x.x

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)