https://live.paloaltonetworks.com/t5/expedition-discussions/migrating-from-cisco-asa-strange-dnat-rules/m-p/448653#M3742 <P>Hi all,</P> <P>I'm trying to migrate configuration from Cisco ASA to Palo Alto NGFW using Expedition.</P> <P>In the security policy I see a lot of strange rules with word "DNAT" prepended in a name and in a tag. These rules always placed immediately after some legitimate access rule and duplicate it almost exactly except:</P> <P>- Destination IP is different</P> <P>- Service field has value 'null' (which of course causes Palo Alto to fails validation of those rules when I import configuration from Expedition).</P> <P><BR />I assume that those rules have something to do with NAT policy, but it is really unclear what exactly and I cannot find any article in the Expedition documentation that will explain what it is trying to do by creating such rules.</P> <P>I attached screenshot with the example of such rule.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-11-19 14_50_45-Window.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37747i189ECB1241E4CBB4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2021-11-19 14_50_45-Window.png" alt="2021-11-19 14_50_45-Window.png" /></span></P> <P>If someone had similar problem, please give me a clue as to what am I looking at here.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 19 Nov 2021 11:51:43 GMT ay.marusov 2021-11-19T11:51:43Z https://live.paloaltonetworks.com/t5/expedition-discussions/migrating-from-cisco-asa-strange-dnat-rules/m-p/448653#M3742 <P>Hi all,</P> <P>I'm trying to migrate configuration from Cisco ASA to Palo Alto NGFW using Expedition.</P> <P>In the security policy I see a lot of strange rules with word "DNAT" prepended in a name and in a tag. These rules always placed immediately after some legitimate access rule and duplicate it almost exactly except:</P> <P>- Destination IP is different</P> <P>- Service field has value 'null' (which of course causes Palo Alto to fails validation of those rules when I import configuration from Expedition).</P> <P><BR />I assume that those rules have something to do with NAT policy, but it is really unclear what exactly and I cannot find any article in the Expedition documentation that will explain what it is trying to do by creating such rules.</P> <P>I attached screenshot with the example of such rule.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-11-19 14_50_45-Window.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37747i189ECB1241E4CBB4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2021-11-19 14_50_45-Window.png" alt="2021-11-19 14_50_45-Window.png" /></span></P> <P>If someone had similar problem, please give me a clue as to what am I looking at here.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 19 Nov 2021 11:51:43 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/migrating-from-cisco-asa-strange-dnat-rules/m-p/448653#M3742 ay.marusov 2021-11-19T11:51:43Z https://live.paloaltonetworks.com/t5/expedition-discussions/migrating-from-cisco-asa-strange-dnat-rules/m-p/448729#M3747 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/193467">@ay.marusov</a>&nbsp; The DNAT rule is auto created based on your NAT policy, if you double click on the rule and go to "Warning" tab , it will show you which NAT rules associate with this security rule, same thing, you can go to NAT rule and double click on the the NAT rule and go to "Security Rules Match" , it will show you the matching security rules for the NAT rule.&nbsp;</P> Fri, 19 Nov 2021 18:22:27 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/migrating-from-cisco-asa-strange-dnat-rules/m-p/448729#M3747 lychiang 2021-11-19T18:22:27Z