topic Re: PAT/NAT rule not working in General Topics

PAT/NAT rule not working

M.Allen — Thu, 25 Jul 2024 14:17:23 GMT

Hi I am looking to create a PAT for an internal server which will use the /30 public IP of the Palo outside interface and port 16385 to be reachable. The below scenario:

PAT/static NAT towards the private IP of O-IntercomSRV-01 (the intercom server) using UDP port 16385 from sources OG-Parking-Intercom-Dest source port 16385.

O-IntercomSRV-01 - 192.168.1.9

OG-Parking-Intercom-Dest - O-Parking-Intercom-Dest-01 - O-Parking-Intercom-Dest-02 (public IPs)

Is this how I would set this up?

I am getting an error message when committing..

Re: PAT/NAT rule not working

M.Allen — Thu, 25 Jul 2024 15:58:46 GMT

Can anyone advised on this, like hitting my head against a brick wall atm

Re: PAT/NAT rule not working

M.Allen — Sun, 28 Jul 2024 09:22:05 GMT

Still not able to get this working..

Re: PAT/NAT rule not working

MP18 — Mon, 29 Jul 2024 03:39:30 GMT

@M.Allen

Please see this Commit NAT Error: Mismatch of destination address translation range"" (paloaltonetworks.com)

and

Error message: “Mismatch of destination address translation ran... - Knowledge Base - Palo Alto Networks

Regards

Re: PAT/NAT rule not working

reaper — Tue, 30 Jul 2024 09:02:43 GMT

the object used in the pre-NAT destination probably has a /30 subnet? and the post-nat destination is a /32, this is a faulty NAT operation

also, it looks like you're setting up an inbound rule: an inbound NAT (or PAT) rule should be untrust to untrust as the destination address (pre-nat) is on the untrust interface

so your rule should read:

original packet: from untrust to untrust, source parking-OG destination public-IP service 16385

translated packet: static ip, destination 192.168.1.9