https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599083#M3818 <P>Hi Team,</P> <P>In Checkp[oint we have an option to configure the dummy IPs in the NAT and use Proxy Arp to get it working. For example.&nbsp;</P> <P>Source: 10.10.10.1</P> <P>Destination: 10.100.100.1(Dummy IP)</P> <P>Translation:</P> <P>Source: 172.16.10.1(Dummy IP)</P> <P>Destination: 172.17.25.1</P> <P>&nbsp;</P> <P>And then configure the Proxy Arp and get this NAT working. This kind of NAT are used only to avoid overlapping subnets in the source and Destination end.</P> <P>&nbsp;</P> <P>May i know how this can be achieved in PaloAlto? I dont really see such options on configuring dummy subnets in the NAT and get it working.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Sanjay S</P> Mon, 30 Sep 2024 10:36:47 GMT Sanjay_Ramaiah 2024-09-30T10:36:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599083#M3818 <P>Hi Team,</P> <P>In Checkp[oint we have an option to configure the dummy IPs in the NAT and use Proxy Arp to get it working. For example.&nbsp;</P> <P>Source: 10.10.10.1</P> <P>Destination: 10.100.100.1(Dummy IP)</P> <P>Translation:</P> <P>Source: 172.16.10.1(Dummy IP)</P> <P>Destination: 172.17.25.1</P> <P>&nbsp;</P> <P>And then configure the Proxy Arp and get this NAT working. This kind of NAT are used only to avoid overlapping subnets in the source and Destination end.</P> <P>&nbsp;</P> <P>May i know how this can be achieved in PaloAlto? I dont really see such options on configuring dummy subnets in the NAT and get it working.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Sanjay S</P> Mon, 30 Sep 2024 10:36:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599083#M3818 Sanjay_Ramaiah 2024-09-30T10:36:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599103#M3823 <P>You are referring to traffic coming from Internet towards Palo?</P> <P>You can have dummy IP as destination IP if traffic arrives to Palo (destination mac address in the packet is mac of Palo wan interface).</P> <P>If traffic is not sent to Palo mac then for Palo to reply with proxy arp it needs IP to be configured on the wan interface (this check is strict starting from 10.2.8, before that it worked even without IP on wan interface).</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-policy-rules/proxy-arp-for-nat-address-pools" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-policy-rules/proxy-arp-for-nat-address-pools</A></P> Mon, 30 Sep 2024 16:26:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599103#M3823 Raido_Rattameister 2024-09-30T16:26:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599539#M3836 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;,</P> <P>No that is not the scenario. We have to NAT both Source and destination to avoid overlapping.</P> <P>So it will be as below:</P> <P>Original:</P> <P>Source will have original IP</P> <P>Destination will be Dummy IP</P> <P>Tranlated:</P> <P>Source will be Natted to dummy IP</P> <P>Destination will translate to the original IP</P> <P>&nbsp;</P> <P>In checkpoint we use the interface that will respond to Dummy IP will have the MAC ID responding to the Original Destination.</P> Fri, 04 Oct 2024 12:47:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599539#M3836 Sanjay_Ramaiah 2024-10-04T12:47:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599788#M3853 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;</P> <P>I dont see the Dynamic NAT is working as expected. Basically Firewall is not proxing for the traffic.&nbsp;</P> <P>As i updated in the beginning here we need to NAT Source with the dummy range before reaching the destination. And Destination will be NATted with the dummy range.</P> <P>&nbsp;</P> <P>From source side we will be pinging the Dummy Destination IP. In the Destination side we should be seeing the Dummy Source IP..</P> <P>&nbsp;</P> <P>I reffered the Link and configured as same as that but it is still not working <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>Regards,</P> <P>Sanjay S</P> Tue, 08 Oct 2024 14:36:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/nat-config/m-p/599788#M3853 Sanjay_Ramaiah 2024-10-08T14:36:42Z