https://live.paloaltonetworks.com/t5/general-articles/understanding-source-nat-address-types/ta-p/518269 <DIV class="lia-message-template-content-zone"> <P><SPAN>&nbsp;</SPAN><STRONG><EM><I data-stringify-type="italic">This article is based on a discussion,&nbsp;<SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/source-nat-with-pool/m-p/517061" target="_blank" rel="noopener">Source NAT with Pool</A>,</SPAN></I><I data-stringify-type="italic">&nbsp;posted by<SPAN>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139105">@nattapong_thi</a>.</SPAN></I><I data-stringify-type="italic">&nbsp;Read on to see the guidance from<SPAN>&nbsp;Cyber Elite&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_blank" rel="noopener">@Astardzhiev</A>!</SPAN></I></EM></STRONG></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>For example, we use 110.110.110.0/24 as internet facing interface</P> <P>&nbsp;</P> <P>What is the difference between</P> <P>110.110.110.30/<STRONG>24</STRONG> and 110.110.110.30/<STRONG>32</STRONG></P> <P>&nbsp;</P> <P>Which one is correct? When I configure a /24 it seems there's a conflict displayed</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nattapong_thi_0-1665113789364.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44446i95234FF10EE7EF22/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="nattapong_thi_0-1665113789364.png" alt="nattapong_thi_0-1665113789364.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nattapong_thi_1-1665113853182.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44447i063BBB3A5CE39840/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="nattapong_thi_1-1665113853182.png" alt="nattapong_thi_1-1665113853182.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> </BLOCKQUOTE> <H2 id="toc-hId-1731577820"><FONT color="#FF6600"><STRONG>Solution:</STRONG></FONT></H2> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139105">@nattapong_thi</a>,</P> <P>When you use Dynamic IP and Port for source nat, you have two options for defining what address to be used for translation:</P> <P>- Interface address - if you select this one, you tell the firewall to use the IP assigned to that particular interface to be used for translation. In this case firewall will translate all internal sources to single IP - the one configured on selected interface. On other words this is many-to-one translation</P> <P>- Translated address - if you select this one, firewall is expecting you to configure valid IP pool that it will use for translation. In this case you define how big is the pool. If you use /32 prefix, this means that pool consist of single IP and it is again same as many-to-one translation. If you use /24 prefix this means that pool has 255 available addresses, which firewall can use for translation - this is many-to-many translation.</P> <P>&nbsp;</P> <P>110.110.110.30/32 is valid configuration, because /32 prefix define range of single IP</P> <P>110.110.110.30/24 is not valid configuration, because /24 prefix define range of 255 IP addresses, so the .30 is not the beginning of the prefix, but represent a host in that range.</P> <P>&nbsp;</P> <P>When you are configure your outside interface with 110.110.110.30/24 this is now valid, because you tell that FW is assigned with IP .30 from a /24 network, from which firewall can identify the length of the network, network mask etc.</P> <P>&nbsp;</P> <P>In your specific case you can use either of the two:</P> <P>- Use "Interface address" for address type and select the interface of the outside/untrust interface.</P> <P>- Use "translated address" for type and enter /32 pool</P> <P>&nbsp;</P> </BLOCKQUOTE> <P>&nbsp;</P> </DIV> Tue, 08 Nov 2022 16:42:51 GMT JayGolf 2022-11-08T16:42:51Z https://live.paloaltonetworks.com/t5/general-articles/understanding-source-nat-address-types/ta-p/518269 <DIV class="lia-message-template-content-zone"> <P><SPAN>&nbsp;</SPAN><STRONG><EM><I data-stringify-type="italic">This article is based on a discussion,&nbsp;<SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/source-nat-with-pool/m-p/517061" target="_blank" rel="noopener">Source NAT with Pool</A>,</SPAN></I><I data-stringify-type="italic">&nbsp;posted by<SPAN>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139105">@nattapong_thi</a>.</SPAN></I><I data-stringify-type="italic">&nbsp;Read on to see the guidance from<SPAN>&nbsp;Cyber Elite&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_blank" rel="noopener">@Astardzhiev</A>!</SPAN></I></EM></STRONG></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>For example, we use 110.110.110.0/24 as internet facing interface</P> <P>&nbsp;</P> <P>What is the difference between</P> <P>110.110.110.30/<STRONG>24</STRONG> and 110.110.110.30/<STRONG>32</STRONG></P> <P>&nbsp;</P> <P>Which one is correct? When I configure a /24 it seems there's a conflict displayed</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nattapong_thi_0-1665113789364.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44446i95234FF10EE7EF22/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="nattapong_thi_0-1665113789364.png" alt="nattapong_thi_0-1665113789364.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nattapong_thi_1-1665113853182.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44447i063BBB3A5CE39840/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="nattapong_thi_1-1665113853182.png" alt="nattapong_thi_1-1665113853182.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> </BLOCKQUOTE> <H2 id="toc-hId-1731577820"><FONT color="#FF6600"><STRONG>Solution:</STRONG></FONT></H2> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139105">@nattapong_thi</a>,</P> <P>When you use Dynamic IP and Port for source nat, you have two options for defining what address to be used for translation:</P> <P>- Interface address - if you select this one, you tell the firewall to use the IP assigned to that particular interface to be used for translation. In this case firewall will translate all internal sources to single IP - the one configured on selected interface. On other words this is many-to-one translation</P> <P>- Translated address - if you select this one, firewall is expecting you to configure valid IP pool that it will use for translation. In this case you define how big is the pool. If you use /32 prefix, this means that pool consist of single IP and it is again same as many-to-one translation. If you use /24 prefix this means that pool has 255 available addresses, which firewall can use for translation - this is many-to-many translation.</P> <P>&nbsp;</P> <P>110.110.110.30/32 is valid configuration, because /32 prefix define range of single IP</P> <P>110.110.110.30/24 is not valid configuration, because /24 prefix define range of 255 IP addresses, so the .30 is not the beginning of the prefix, but represent a host in that range.</P> <P>&nbsp;</P> <P>When you are configure your outside interface with 110.110.110.30/24 this is now valid, because you tell that FW is assigned with IP .30 from a /24 network, from which firewall can identify the length of the network, network mask etc.</P> <P>&nbsp;</P> <P>In your specific case you can use either of the two:</P> <P>- Use "Interface address" for address type and select the interface of the outside/untrust interface.</P> <P>- Use "translated address" for type and enter /32 pool</P> <P>&nbsp;</P> </BLOCKQUOTE> <P>&nbsp;</P> </DIV> Tue, 08 Nov 2022 16:42:51 GMT https://live.paloaltonetworks.com/t5/general-articles/understanding-source-nat-address-types/ta-p/518269 JayGolf 2022-11-08T16:42:51Z