https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402576#M1174 <P>Hi Team,</P><P>&nbsp;</P><P>On public cloud Azure, why we need to translate source address also for Destination NAT?</P><P>When i am translating source with trust interface IP it is working fine but when i am keeping the address as original it is not working.&nbsp;</P><P>Kindly let me know is there any limitation on Public cloud for that we require source translation as well?</P><P>&nbsp;</P><P>Regards,</P><P>Om Prasad&nbsp;</P> Wed, 28 Apr 2021 04:24:39 GMT omprasadax 2021-04-28T04:24:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402576#M1174 <P>Hi Team,</P><P>&nbsp;</P><P>On public cloud Azure, why we need to translate source address also for Destination NAT?</P><P>When i am translating source with trust interface IP it is working fine but when i am keeping the address as original it is not working.&nbsp;</P><P>Kindly let me know is there any limitation on Public cloud for that we require source translation as well?</P><P>&nbsp;</P><P>Regards,</P><P>Om Prasad&nbsp;</P> Wed, 28 Apr 2021 04:24:39 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402576#M1174 omprasadax 2021-04-28T04:24:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402587#M1175 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/169026">@omprasadax</a>&nbsp;</P><P>This mainly depends on how the routing is configured. Azure is very kind and adds routes of peered vNets and so on. Unfortunately this is not what we need when using a NVA.</P><P>Check the effective route on the servers, and overwrite the routing accordingly. Asynchronous routing has to be prevented.</P> Wed, 28 Apr 2021 05:47:22 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402587#M1175 JoergSchuetter 2021-04-28T05:47:22Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402668#M1177 <P>It's due to the return path routing.&nbsp; If you were using a single firewall or an HA pair, you would need to have your 0/0 route pointing back to the firewall to maintain symmetry.&nbsp; Typically, it is recommended to use an App Gateway in front of the firewalls which can insert the XFF header if the traffic is HTTP.</P> Wed, 28 Apr 2021 12:23:59 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/source-and-destination-both-nat-required-for-inbound-connection/m-p/402668#M1177 jmeurer 2021-04-28T12:23:59Z