https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544824#M111473 <P>Hi Tom,</P> <P>After further checking i see the same IP is being NATted to the different internal IP behind the LAN interface.</P> <P>That NAT is on TOP of the NAT rule base which could be the reason for traffic going to LAN interface.</P> <P>&nbsp;</P> <P>Thank you very much, i am bit confident now about the NATs in Palo after your confirmation.&nbsp;</P> <P>Issue is not resolved, i have requested customer to provide me the unused IP in the same subnet and awaiting response. Will let the trail updated.</P> <P>Regards,</P> <P>Sanjay S</P> Mon, 05 Jun 2023 14:57:47 GMT Sanjay_Ramaiah 2023-06-05T14:57:47Z https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544789#M111467 <P>Hi All,</P> <P>When it comes to Static NAT it will be one to one NAT in vendors like Checkpoint and Cisco ASA. I am bit confused with the NAT configuration in Palo Alto. Went through config guide and examples of NAT as well but still confused.</P> <P>We have a scenario as below.</P> <P>We have 3 zones - WAN, LAN and DMZ.</P> <P>Users want to reach DMZ interface from WAN and vice versa.</P> <P>IP: 10.10.10.10 shd be translated to 1.1.1.2</P> <P>WAN Int: 1.1.1.1/29</P> <P>So ACL is configured as below:</P> <P>WAN to DMZ Zones port 443 is allowed.</P> <P>Src Int: WAN</P> <P>Src: Any</P> <P>Dst Int: DMZ</P> <P>Dst: 1.1.1.2</P> <P>Port: 443</P> <P>&nbsp;</P> <P>Src Int: DMZ</P> <P>Src: 10.10.10.10</P> <P>Dst Int: WAN</P> <P>Dst: Any</P> <P>Port: 443</P> <P>&nbsp;</P> <P>NAT:</P> <P>Src Zone: DMZ</P> <P>Dst Zone: WAN</P> <P>Dst Int: WAN</P> <P>Src Add: 10.10.10.10</P> <P>Dst Add:Any</P> <P>Src Trans: Static IP(1.1.1.2)Bi-directional</P> <P>Dst Trans:none</P> <P>&nbsp;</P> <P>Src Zone:WAN</P> <P>Dst Zone: DMZ</P> <P>Dst Int:DMZ</P> <P>Src Add:Any</P> <P>Dst Add:1.1.1.2</P> <P>Src Trans:none</P> <P>Dst Trans:dst-translation(10.10.10.10)</P> <P>&nbsp;</P> <P>Is there anything wrong with this?</P> <P>&nbsp;</P> <P>Though 1.1.1.2 is directly connected to WAN. Traffic from outside to 1.1.1.2 to is going to LAN interface instead of DMZ.</P> <P>I am concerned with my NAT understanding in Palo.</P> <P>&nbsp;</P> <P>Any suggestions on this would really help.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Sanjay S</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 05 Jun 2023 12:40:46 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544789#M111467 Sanjay_Ramaiah 2023-06-05T12:40:46Z https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544812#M111470 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/249853">@Sanjay_Ramaiah</a> ,</P> <P>&nbsp;</P> <P>That looks good.&nbsp; The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.</P> <P>&nbsp;</P> <P>Could you give me the IP address/mask on the DMZ and LAN interfaces?&nbsp; I am curious why the traffic is going to the LAN interface also.&nbsp; Do you have other NAT rules <EM>above</EM> the ones you listed?&nbsp; I wonder if the traffic is hitting another rule.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 05 Jun 2023 13:24:34 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544812#M111470 TomYoung 2023-06-05T13:24:34Z https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544824#M111473 <P>Hi Tom,</P> <P>After further checking i see the same IP is being NATted to the different internal IP behind the LAN interface.</P> <P>That NAT is on TOP of the NAT rule base which could be the reason for traffic going to LAN interface.</P> <P>&nbsp;</P> <P>Thank you very much, i am bit confident now about the NATs in Palo after your confirmation.&nbsp;</P> <P>Issue is not resolved, i have requested customer to provide me the unused IP in the same subnet and awaiting response. Will let the trail updated.</P> <P>Regards,</P> <P>Sanjay S</P> Mon, 05 Jun 2023 14:57:47 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-static-nat/m-p/544824#M111473 Sanjay_Ramaiah 2023-06-05T14:57:47Z