Natting issues

I.SupportChennai — Thu, 26 Mar 2026 11:32:00 GMT

The customer is currently unable to access our server using the NAT IP addresses.

Re: Natting issues

I.SupportChennai — Thu, 26 Mar 2026 11:44:04 GMT

PA-1410

Re: Natting issues

Raido_Rattameister — Thu, 26 Mar 2026 13:54:04 GMT

You host servers?

Customers come from Internet and you apply destination NAT on your Palo towards servers that are using IPs from RFC 1918 IP range?

Re: Natting issues

Eric_B — Fri, 27 Mar 2026 17:42:58 GMT

Is the NAT in your route table? Do you have a policy to allow it? Logs would be helpful.

Re: Natting issues

abayoumi21 — Sun, 29 Mar 2026 08:30:10 GMT

To troubleshoot access issues to a server via NAT IP on a Palo Alto firewall, you should verify whether NAT is being applied correctly, confirm the matching security policy, and validate routing for both forward and return traffic.

Troubleshooting Steps

1️⃣ Identify Source Information
Start by confirming the source IP address of the customer attempting to access the server.

2️⃣ Check Traffic Logs
Go to:

Monitor → Traffic

• Add the column “NAT Destination IP”
• Apply a filter for the customer source IP

This helps determine whether Destination NAT is being applied.

3️⃣ Verify NAT Behavior

• If NAT is applied (NAT Destination IP is visible):
→ The traffic is correctly translated.
→ Check connectivity and routing on downstream devices (inside/DMZ side).

• If NAT is NOT applied:
→ Continue with the checks below.

4️⃣ Validate Security Policy

A common mistake in Palo Alto:

👉 The Destination Zone in the Security Policy must be the post-NAT zone, not the original zone.

Check:

• Correct Source Zone
• Correct Destination Zone (after NAT)
• Application / Service

Also verify the hit count on the rule.

5️⃣ Check NAT Rule Hit Count

Go to NAT policy and verify:

• Is the NAT rule being hit?

6️⃣ Correlate NAT vs Security Policy

• NAT hit count increases, but no hit on Security Policy →
👉 This usually indicates a routing issue or zone mismatch.

7️⃣ Verify Routing / PBF

Check:

• Routing table (forward path)
• Return path from server
• Policy-Based Forwarding (if configured)

Incorrect routing can prevent the session from completing even if NAT is correct.

Summary

The key checks are:

• Confirm NAT translation in traffic logs
• Ensure security policy uses post-NAT zone
• Compare hit counts between NAT and security rules
• Validate routing and return path

Most issues in this scenario are caused by zone mismatch in policy or routing problems after NAT.

topic Natting issues in Next-Generation Firewall Discussions

Natting issues

Re: Natting issues

Re: Natting issues

Re: Natting issues

Re: Natting issues