https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231717#M124564 <P>you can't effectively nat for an IP subnet that is one hop away from the palo interface</P> <P>outbound NAT will work, the palo will source nat outgoing packets, the next hop router will (probably, unless this router supports anti-spoofing) route the packet to the final destination</P> <P>so far all will be good, but the reply packet will remain inside the local broadcast domain (the /24 subnet on the far end). the router will not know to forward that packet to 172.16.1.1 unless you set up some sort of proxy arp on the router</P> <P>&nbsp;</P> <P>you can source nat behind 172.16.1.1 but not 172.16.100.x since that is one hop away</P> <P>&nbsp;</P> <P>tl;dr you're performing an old-school spoofing attack</P> Fri, 13 Jun 2025 09:52:14 GMT reaper 2025-06-13T09:52:14Z https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231547#M124548 <P>Please consider below topology in which PC-1 - 3 are connected to Cisco Switch and having a gateway 192.168.1.1 configure on firewall. Firewall rule is any any and all the PC can ping the IT PC with actual IP. Now I want to deal with the scenario where all the PC-1 to 3 need to be statically translated to the IP in IT range which is 172.16.100.100 for PC-1 , 101 for PC-2 and 102 for PC-3 respectively but the scenario is not working. I would like to know how can we achieve this topolgy.</P> <P>&nbsp;</P> <P>192.168.1.10 -- NAT TO -- 172.16.100.100</P> <P>192.168.1.11 -- NAT TO -- 172.16.100.101</P> <P>192.168.1.12 -- NAT TO -- 172.16.100.102</P> <P>&nbsp;</P> <P>I tried doing static NAT as per below and it is working but I dont want to do that</P> <P>192.168.1.10 -- NAT TO --172.16.1.3&nbsp;</P> <P>&nbsp;</P> <P>Am I missing something like proxy arp.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Him143u_1-1749663293591.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68003iEEAF81C63D17293C/image-size/medium?v=v2&amp;px=400" role="button" title="Him143u_1-1749663293591.png" alt="Him143u_1-1749663293591.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 11 Jun 2025 18:50:59 GMT https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231547#M124548 Him143u 2025-06-11T18:50:59Z https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231717#M124564 <P>you can't effectively nat for an IP subnet that is one hop away from the palo interface</P> <P>outbound NAT will work, the palo will source nat outgoing packets, the next hop router will (probably, unless this router supports anti-spoofing) route the packet to the final destination</P> <P>so far all will be good, but the reply packet will remain inside the local broadcast domain (the /24 subnet on the far end). the router will not know to forward that packet to 172.16.1.1 unless you set up some sort of proxy arp on the router</P> <P>&nbsp;</P> <P>you can source nat behind 172.16.1.1 but not 172.16.100.x since that is one hop away</P> <P>&nbsp;</P> <P>tl;dr you're performing an old-school spoofing attack</P> Fri, 13 Jun 2025 09:52:14 GMT https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231717#M124564 reaper 2025-06-13T09:52:14Z https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231733#M124568 <P>Hello,</P> <P>I would keep it simple and just use security policies to allow/deny traffic. No need to nat between subnets.</P> <P>Regards,</P> Fri, 13 Jun 2025 18:40:40 GMT https://live.paloaltonetworks.com/t5/general-topics/static-nat-not-working/m-p/1231733#M124568 OtakarKlier 2025-06-13T18:40:40Z