https://live.paloaltonetworks.com/t5/general-topics/snat-for-multi-wan-ip/m-p/570139#M114912 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/147193717">@jthk215</a>,</P> <P>When you look at the traffic logs you can add the columns for 'NAT Source IP' or go into the detailed log detail on a couple of the logs and verify that the proper NAT policy is actually being applied. You can also do this through the 'Test Policy Match' functionality available in the bottom right of the GUI when looking at your NAT policies, or through the CLI command 'test nat-policy-match' and verifying that your traffic is matching as expected.</P> <P>Since sometimes people like to obfuscate information and end up actually hiding important information in that process, can you verify that the IP that you're attempting to NAT with actually falls into the subnet of the IP on the untrust interface. I know your example here does,&nbsp;<EM>but&nbsp;</EM>if it doesn't it explains the behavior that you're running into fully. If you NAT to an address that doesn't fall into a subnet of the IP on the untrust interface, you'll need to actually add a route for it.&nbsp;</P> <P>&nbsp;</P> <P>It's also important in instances like this that you actually share the NAT policy in a screenshot if you can.&nbsp;</P> Sat, 16 Dec 2023 05:51:27 GMT BPry 2023-12-16T05:51:27Z https://live.paloaltonetworks.com/t5/general-topics/snat-for-multi-wan-ip/m-p/570057#M114906 <P>Hi All,</P> <P>I have ISP provide 4 public IPs can be use.</P> <P>But I can use 1 public ip to outbound traffic only., if i create another SNAT to 2nd public IP, it can't go out to internet.</P> <P>&nbsp;</P> <P>e.g. Interface IP:&nbsp; 20.1.20.20/29</P> <P>&nbsp;</P> <P>Not work NAT configuration&nbsp;</P> <P>&nbsp;</P> <P>NAT:</P> <P>DMZ NAT : DMZ Source IP 10.1.10.0/24 to DIPP <STRONG>20.1.20.21-20.1.20.22</STRONG></P> <P>APP SNAT: DMZ2 Source IP : 10.1.20.0/24 to SNAT 20.1.20.20&nbsp;</P> <P>&nbsp;</P> <P>Security :</P> <P>DMZ and DMZ2 Any to Any Out Allow.</P> <P>&nbsp;</P> <P>Working NAT Configuration</P> <P>&nbsp;</P> <P>NAT:</P> <P>DMZ NAT : DMZ Source to Untrust Any IP 10.1.10.0/24 to DIPP&nbsp; &nbsp;<STRONG>20.1.20.20</STRONG>&nbsp;</P> <P>APP SNAT: DMZ2 Source to Untrust Any&nbsp; IP : 10.1.20.0/24 to SNAT&nbsp; 20.1.20.20&nbsp;</P> <P>&nbsp;</P> <P>Security :</P> <P>DMZ and DMZ2 Any to Any Out Allow.</P> <P>&nbsp;</P> <P>I can see the traffic is allow.</P> <P>How can I separate different subnet to use different workload WAN IP, which configuration am I missing?</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Fri, 15 Dec 2023 13:21:57 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-for-multi-wan-ip/m-p/570057#M114906 jthk215 2023-12-15T13:21:57Z https://live.paloaltonetworks.com/t5/general-topics/snat-for-multi-wan-ip/m-p/570139#M114912 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/147193717">@jthk215</a>,</P> <P>When you look at the traffic logs you can add the columns for 'NAT Source IP' or go into the detailed log detail on a couple of the logs and verify that the proper NAT policy is actually being applied. You can also do this through the 'Test Policy Match' functionality available in the bottom right of the GUI when looking at your NAT policies, or through the CLI command 'test nat-policy-match' and verifying that your traffic is matching as expected.</P> <P>Since sometimes people like to obfuscate information and end up actually hiding important information in that process, can you verify that the IP that you're attempting to NAT with actually falls into the subnet of the IP on the untrust interface. I know your example here does,&nbsp;<EM>but&nbsp;</EM>if it doesn't it explains the behavior that you're running into fully. If you NAT to an address that doesn't fall into a subnet of the IP on the untrust interface, you'll need to actually add a route for it.&nbsp;</P> <P>&nbsp;</P> <P>It's also important in instances like this that you actually share the NAT policy in a screenshot if you can.&nbsp;</P> Sat, 16 Dec 2023 05:51:27 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-for-multi-wan-ip/m-p/570139#M114912 BPry 2023-12-16T05:51:27Z