topic Re: Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW in Next-Generation Firewall Discussions

Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

EMEA-FW — Thu, 29 Sep 2022 17:57:59 GMT

Hi Experts ,

We have twice nat rules (nearly 608 NAT rules) configured on ASA FW and we are planning to refresh them with Palo Alto 5020 soon.Below is one the NAT rule of ASA FW.

nat (Internet,Inside) source static any any destination static h-197.29.23.83 h-10.30.2.74 unidirectional

I would like to know what kind of nat rule(s) we should have on Palo alto FW so that translation happens properly for the above mentioned NAT rule.

Timely reply would be highly appreciated as i need to configure 608 NAT rules on Palo Alto FW.

We have used expedition tool to convert ASA FW configuration to Palo Alto , however we are suspecting that twice NAT of ASA FW is not converted properly using Expedition tool.

Re: Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

aleksandar.astardzhiev — Thu, 29 Sep 2022 21:40:23 GMT

Hi @EMEA-FW ,

My ASA knowledge is so rusty I couldn't event say I understand it...However the example you gave seems like simple destination NAT. It could be configured as twice-NAT, but it is translating only the destination address (right?). Which in simple terms is destination static NAT.

For me personally Palo Alto NAT config is the most intuitive, ever. I will try to shake the dust from my ASA memories and try to breakdown the twice-NAT config command, we can interpred it in "more simple PAN words" 🙂

I have tried to map each part of the ASA command to the PAN GUI

Now there is a tricky part, in summary - for destination NAT on the Palo you need to use source and destination zone as "Internet":

- Palo Alto first evaluates the NAT, but apply it later in the process. Meaning received original packet, needs to match the NAT rule in order to be NATed later. Which means firewall will check which will be the destination zone based on the original destination IP. Since the original destination will be public IP, route lookup will identify "outside/Internet" zone as destination. At the same time traffic is received from internet, so the source zone will also be "Internet"

If this could help you, here is how your emaple NAT should look like on PAN firewall:

I want to take a step back and ask, why do you think Expedition has failed to convert all the NAT rules properly?

Can you share some examples for ASA NAT rule and how it was translated by the Expedition?

I would suggest you try the Expedition again. Let it do the durty work for all 600+ NAT rules. But you definately review them. I am hoping with above explanations you can easily identify if NAT rule was trasnlated correctly or not.

Re: Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

EMEA-FW — Mon, 17 Oct 2022 15:45:27 GMT

Hi Astardzhiev ,

Your explanation is simply superb and my doubt got cleared.Reworked on expedition and NAT rules are properly converted now.

I've one more question related to QoS on PA FW.We have QoS configured on ASA FW and it needs to be migrated to Palo Alto Firewall.

Below is the configuration of Cisco ASA FW.

access-list TEST_1 extended permit tcp any object-group NetGrp.TEST.Prod.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.TEST.OS.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.DC1.Prod.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.DC1.OS.Servers

object-group network NetGrp.TEST.Prod.Servers
network-object host 10.10.10.250
network-object 10.10.40.0 255.255.254.0

object-group network NetGrp.TEST.OS.Servers
network-object host 20.20.20.1
network-object host 20.20.20.2

object-group network NetGrp.DC1.Prod.Servers
network-object host 30.30.30.1
network-object host 30.30.30.2

object-group network NetGrp.DC1.OS.Servers
network-object host 40.40.40.1
network-object host 40.40.40.2

class-map DCD
match access-list TEST_1
class-map inspection_default
match default-inspection-traffic

policy-map global_policy
description TCP_Values
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class DCD
set connection timeout idle 1:00:00 reset dcd 0:15:00 5
class class-default
user-statistics accounting

service-policy global_policy global