https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238790#M125218 <P>an ip pool in an outbound nat rule is meant to be used only for source nat. this means the ip addresses will not be pingable at all.</P> <P>only if</P> <P>1. you create inbound NAT rules where the original destination is in your subnet with a nat translation destination that understands ping or,</P> <P>2. you bind the desired IP to your public interface/loopback in untrust zone so it can respond to ping</P> <P>&nbsp;</P> <P>an outbound pool does not provide inbound connectivity</P> Thu, 25 Sep 2025 14:16:02 GMT reaper 2025-09-25T14:16:02Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238621#M125208 <P>Dear all&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; I have a question about snat address pool and route loop; If I set a snat policy and assign a public address pool（range）to it, like 110.1.1.1 to 110.1.1.11 PS. It's being used for visit internet; I have a default route to internet on my firewall, nexthop is ISP, and this ISP have a route about&nbsp;110.1.1.1 to 110.1.1.11 next hop is my firewall; after then, If a people who trying to ping an address in 110.1.1.1 to 110.1.1.11, there will be a route loop. How do you usual solve this problem? Thanks!!</P> <P>&nbsp;</P> <P>Best Wishes</P> Wed, 24 Sep 2025 05:58:35 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238621#M125208 459768405 2025-09-24T05:58:35Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238648#M125209 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/706468977">@459768405</a>&nbsp;,</P> <P>&nbsp;</P> <P>I haven't tested this but methinks you could use a loopback interface to prevent the loop from happening.</P> <P>&nbsp;</P> <OL start="1"> <LI> <P>Create a Loopback Interface and assign the IP address from your public pool to this new Loopback interface.</P> </LI> <LI> <P>Add a static route in your VR that points your public address pool to the Loopback interface as the next hop.&nbsp;</P> </LI> </OL> <P>&nbsp;</P> <P>I believe that by doing this, when the ISP sends a packet to an IP in your public pool, the firewall receives it and correctly routes it to the loopback interface. This should prevents the routing loop because the firewall recognizes the traffic as belonging to itself.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Wed, 24 Sep 2025 08:25:20 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238648#M125209 kiwi 2025-09-24T08:25:20Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238651#M125210 <P>Hi, Kiwi</P> <P>&nbsp;</P> <P>I think this will be work. And maybe I don't have to assign a public ip address to the loopback, maybe I can give it a private address. So it means in paloalto, when a traffic comes into our firewall, nat procedure is before route search; So if a really useful back traffic will count the nat policy( maybe a nat session table)&nbsp; first, and it won't be route to the loopback, am I right?</P> <P>I have done this on a firewall which from another manufacture, When I config a nat pool, it will auto config a route about the pool, and next hop is null0, I think the theory is same like config a loopback and a route.</P> <P>By the way, very like your ID and picture, the kiwi bird is so cute, LOL</P> <P>&nbsp;</P> <P>Best Wishes</P> <P>Du</P> Wed, 24 Sep 2025 08:42:09 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238651#M125210 459768405 2025-09-24T08:42:09Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238756#M125215 <P>there should not be a routing loop if you add at least 1 IP (e.g. 110.1.1.1/24) with the appropriate subnet to your public interface</P> <P>from that moment forward, the firewall can proxy-arp for all ip addresses in the subnet if needed (and per the NAT configuration) and will also account for reply packets from any outbound sessions using that nat pool</P> <P>&nbsp;</P> <P>Your NAT pool will trigger that proxy-arp so you wouldn't even need a static route on your ISP router</P> Thu, 25 Sep 2025 07:14:12 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238756#M125215 reaper 2025-09-25T07:14:12Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238757#M125216 <P>Thanks! If I config an address which is in the same subnet with my nat address pool, there will not have a routing loop yet. but if some one try to ping an address in my address pool, I think there will have some unuseful arp packet will be send from the interface which faced internet. but it's better than a routing loop. But if we have got to config an address on the interface which in the different subnet with the pool, maybe we need to config loopback interface&amp;route and something to solve this potential problem.</P> Thu, 25 Sep 2025 07:30:00 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238757#M125216 459768405 2025-09-25T07:30:00Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238790#M125218 <P>an ip pool in an outbound nat rule is meant to be used only for source nat. this means the ip addresses will not be pingable at all.</P> <P>only if</P> <P>1. you create inbound NAT rules where the original destination is in your subnet with a nat translation destination that understands ping or,</P> <P>2. you bind the desired IP to your public interface/loopback in untrust zone so it can respond to ping</P> <P>&nbsp;</P> <P>an outbound pool does not provide inbound connectivity</P> Thu, 25 Sep 2025 14:16:02 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238790#M125218 reaper 2025-09-25T14:16:02Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238836#M125229 <P>Yes, but cause of the ip address not be pingable, firewall don't know these address are assign to its, then I think it will search the routing table and hit the default route, then firewall will forward the ping packet to ISP, but in ISP device, the packet will hit the route which nexthop is our firewall, the loop is created. but this is not a big problem, cause of TTL.</P> Fri, 26 Sep 2025 02:00:48 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238836#M125229 459768405 2025-09-26T02:00:48Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238910#M125234 <P>you can fix that by setting a intrazone deny rule for untrust zone <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> (untrust to untrust block)</P> <P>&nbsp;</P> <P>this is best practice so if you have not done this, look into setting up explicit external rules</P> Fri, 26 Sep 2025 11:55:25 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1238910#M125234 reaper 2025-09-26T11:55:25Z https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1239724#M125303 <P>got it! I think this the most simple way to tackle this problem, thanks&nbsp;</P> Thu, 09 Oct 2025 02:18:03 GMT https://live.paloaltonetworks.com/t5/general-topics/a-question-about-snat-address-pool-couse-a-route-loop/m-p/1239724#M125303 459768405 2025-10-09T02:18:03Z