Cisco Twice NAT

Justin_Lucas — Tue, 25 Oct 2022 18:20:59 GMT

I am working a migration of a Cisco ASA Firewall to Palo Alto and the NATs are confusing.

Here are a couple of the NATs:

(Outside) to (Vendor) source static 10.5.1.0/24 10.5.1.0/24 destination static (10.24.49.47 & 10.24.49.46) (10.24.49.47 & 10.24.49.46)

(Outside) to (Outside) source static 10.160.100.100 67.91.127.197 destination static 69.167.253.23/32 69.167.253.23/32 service 5721-5722 5721-5722

(DMZ) to (Vendor) source static 192.168.200.21/32 192.168.200.21/32 destination static 10.24.49.46/32 10.24.49.46/32 no-proxy-arp

(inside) to (Outside) source static any any destination static 10.5.1.0/24 10.5.1.0/24 no-proxy-arp route-lookup

(inside) to (Vendor) source dynamic (10.140.0.0/16 & 10.80.1.0/24 & 10.80.3.0/24) 172.16.1.200/32 destination static (170.209.0.2 & 170.209.0.3 & 170.209.0.4) (170.209.0.2 & 170.209.0.3 & 170.209.0.4)

(inside) to (Vendor) source static 10.100.100.100 10.100.100.100

Would love some help with Palo Alto NATs and Security Policies that go with them.

Re: Cisco Twice NAT

aleksandar.astardzhiev — Sun, 27 Nov 2022 22:02:39 GMT

Hi @Justin_Lucas .

I would recommend you to check my reply in this discussion - https://live.paloaltonetworks.com/t5/next-generation-firewall/twice-nat-of-asa-fw-equivalent-nat-rules-on-palo-alto-fw/m-p/516389#M432

Please check it and let me know if you still have some questions about Palo NAT and how it translates to Cisco

topic Cisco Twice NAT in Next-Generation Firewall Discussions

Cisco Twice NAT

Re: Cisco Twice NAT