topic Re: NGFW PA820 9.1.4 Strange NAT issue in Next-Generation Firewall Discussions

NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Fri, 04 Jun 2021 03:08:40 GMT

We have a simple basic setup:

WAN1/1 Untrust IP 123.45.67.89/29

LAN1/2 Trust IP 10.9.8.1/16

We NAT our WAN interface out to a different IP in the same network. 123.45.67.90

NAT POL Trust to Untrust Int1/1 Any Any to 123.45.67.90

Security Pol is Any Any

I ping 8.8.8.8 from the LAN1/1 and it NATs out correctly with the .90 address

Devices behind the firewall are not getting NAT'd out, I have pcap that shows this. The pcap does not show the NAT'd IP just the trust traffic from the device to the LAN1/1 on both outbound and inbound traffic.

I can also ping the ISP GW from the downstream devices so I can get traffic beyond the FW but nothing beyond that.

Re: NGFW PA820 9.1.4 Strange NAT issue

BPry — Mon, 03 May 2021 19:12:26 GMT

@MrFritz

Take a look at your NAT policy and double check that you actually have it configured correctly. Your traffic logs are also going to be a help here, as you can expose the NAT Source IP field to see what the firewall actually NAT'd traffic to. Weird NAT issues are almost always a result of your NAT rulebase entry not being correctly formatted.

Re: NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Tue, 04 May 2021 10:46:02 GMT

"rule1; index: 1" {
nat-type ipv4;
from Trust;
source 10.0.0.0/8 ;
to Untrust-ISP1;
to-interface ;
destination any;
service 0:any/any/any;
translate-to "src: 170.150.13.150 (dynamic-ip-and-port) (pool idx: 11)";
terminal no;
}

Security Policy

"rule1; index: 1" {
from Trust;
source any;
source-region none;
to Untrust-ISP1;
destination any;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;

Re: NGFW PA820 9.1.4 Strange NAT issue

reaper — Tue, 04 May 2021 18:19:06 GMT

Can you check your default route? Since your zone is called untrusted-isp1, is there also an untrust-isp2?

Show routing fib virtual-router default | match 0.0.0.0

Re: NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Tue, 04 May 2021 18:24:09 GMT

Untrust-ISP2 is not connected nor is the Zone created:

show routing fib virtual-router VR-1 | match 0.0.0.0
[?1h= 805 0.0.0.0/0 170.150.13.145 ug ethernet1/1 1500

Re: NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Tue, 04 May 2021 18:28:05 GMT

ame: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router VR-1
Interface MTU 1500
Interface IP address: 170.150.13.147/29
Interface management profile: no
Service configured: IKE
Zone: Untrust-ISP1, virtual system: vsys1
Adjust TCP MSS: no
Policing: no

Re: NGFW PA820 9.1.4 Strange NAT issue

reaper — Tue, 04 May 2021 20:38:30 GMT

everything looks ok...

if you start a ping out to the internet, can you check if the session ID of your outgoing ping to see which rules it hits etc:

show session all filter destination 1.1.1.1 application ping

show session id xxx

Re: NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Wed, 05 May 2021 11:29:26 GMT

I can ping the internet from the Trust interface but nothing behind it. My pcap shows ping from the trust interface NATs out correctly but the ping from a the devices behind the FW do not NAT at all. Ping source 10.61.1.1 to host 8.8.8.8 success, Ping source 10.61.1.2 host 8.8.8.8 fails....aged out. Basically no NAT from devices behind the Trust interface.

Re: NGFW PA820 9.1.4 Strange NAT issue

MrFritz — Wed, 05 May 2021 13:17:32 GMT

Strange I updated the OS 9.1.4 to 9.1.5 rebooted and now it is working