topic Re: NAT'ing subnets - Larger to smaller? Will it work? in General Topics

NAT'ing subnets - Larger to smaller? Will it work?

TonyDeHart — Thu, 04 May 2023 11:59:32 GMT

I'm moving some rules from an ASA we will be decommissioning at another location to our local PA-5220 for an IPSEC tunnel that we are migrating. The existing rule set on our ASA is NAT'ing our /16 subnet onto a /24 which technically could be an issue but we have few users that use this tunnel so it isn't an issue and they could come from a number of places on our internal /16.

Is there a way to do this with PAN-OS? When I looked at this document: Getting Started: Network Address Translation (NAT) - Knowledge Base - Palo Alto Networks it had a caveat about being the same size subnets but it looks like that is only if using Dynamic IP and NOT dynamic IP and port. I'm just uncertain at the moment if this tunnel requires the source ports to remain the same - I doubt it but its possible.

Thanks in advance for any help or insight.

Re: NAT'ing subnets - Larger to smaller? Will it work?

BPry — Thu, 04 May 2023 20:57:50 GMT

@TonyDeHart,

This will work as long as no communication traversing the tunnel expects a certain source port to function properly. If that isn't a requirement, you could set this to DIPP and it would work perfectly fine.

Re: NAT'ing subnets - Larger to smaller? Will it work?

TonyDeHart — Thu, 04 May 2023 20:59:26 GMT

That is great news! Thanks. I doubt highly the source port matters at all but I'll probably take a closer look at the logs and see what shows up soon on the ASA. I'm still in discovery mode on some of this but this helps.