https://live.paloaltonetworks.com/t5/globalprotect-discussions/source-nat-with-pool-from-globalprotect-zone-to-subnet-behind/m-p/517517#M3246 <P>Hi community,&nbsp;</P> <P>I'm writting this post to get any ideas or suggestions in a new end-customer requirement. The main goal is that all clients connected via GlobalProtect can access to a new services acquired recently via MPLS (attached the brief topology). The point here is the MPLS's administrator share a specific IP Address that we need to NAT any source address from the Firewall Palo Alto.&nbsp;</P> <P>&nbsp;</P> <P>We asigned the 192.168.130.0/24 pool to dynamic-client and we need to get access to 172.21.2.9 through out MPLS and it indicates us we have to NAT with 192.168.1.222 IP address; the config applied works, the traffic from the dynamic-client to 172.21.2.9 leave the firewall with 192.168.1.222 but, we can't connect and the session detail shows "application = incomplete/undecided"</P> <P>&nbsp;</P> <P>This is the brief flow-traffic:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="larry2019_0-1665525816825.png" style="width: 565px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44586i06CCB4E876D5FC6D/image-dimensions/565x260/is-moderation-mode/true?v=v2" width="565" height="260" role="button" title="larry2019_0-1665525816825.png" alt="larry2019_0-1665525816825.png" /></span></P> <P>&nbsp;</P> <P>In advanced, thank you so much for your reply!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 11 Oct 2022 22:05:45 GMT larry2019 2022-10-11T22:05:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/source-nat-with-pool-from-globalprotect-zone-to-subnet-behind/m-p/517517#M3246 <P>Hi community,&nbsp;</P> <P>I'm writting this post to get any ideas or suggestions in a new end-customer requirement. The main goal is that all clients connected via GlobalProtect can access to a new services acquired recently via MPLS (attached the brief topology). The point here is the MPLS's administrator share a specific IP Address that we need to NAT any source address from the Firewall Palo Alto.&nbsp;</P> <P>&nbsp;</P> <P>We asigned the 192.168.130.0/24 pool to dynamic-client and we need to get access to 172.21.2.9 through out MPLS and it indicates us we have to NAT with 192.168.1.222 IP address; the config applied works, the traffic from the dynamic-client to 172.21.2.9 leave the firewall with 192.168.1.222 but, we can't connect and the session detail shows "application = incomplete/undecided"</P> <P>&nbsp;</P> <P>This is the brief flow-traffic:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="larry2019_0-1665525816825.png" style="width: 565px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44586i06CCB4E876D5FC6D/image-dimensions/565x260/is-moderation-mode/true?v=v2" width="565" height="260" role="button" title="larry2019_0-1665525816825.png" alt="larry2019_0-1665525816825.png" /></span></P> <P>&nbsp;</P> <P>In advanced, thank you so much for your reply!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 11 Oct 2022 22:05:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/source-nat-with-pool-from-globalprotect-zone-to-subnet-behind/m-p/517517#M3246 larry2019 2022-10-11T22:05:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/source-nat-with-pool-from-globalprotect-zone-to-subnet-behind/m-p/517699#M3257 <P>Hello,</P> <P>Make sure the policies are marked with 'Log at session end'. Then check the logs to see if any traffic is getting blocked. Could be a misconfigured security policy.</P> <P>Regards,</P> Wed, 12 Oct 2022 21:08:22 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/source-nat-with-pool-from-globalprotect-zone-to-subnet-behind/m-p/517699#M3257 OtakarKlier 2022-10-12T21:08:22Z