https://live.paloaltonetworks.com/t5/general-topics/clarification-needed-on-multiple-static-nat-rules-with-the-same/m-p/1240922#M125439 <P data-start="0" data-end="13">Hey Tammam, <BR /><BR />That’s a really good question. What you’re seeing comes down to how the firewall treats session mappings. With dynamic NAT using a single public IP, the firewall assigns that address temporarily for the first session, and since the pool only contains one IP, other internal devices can’t reuse it until the mapping is released. <BR /><BR />With multiple static NAT rules, each PBX has its own translation rule even if they all use the same public IP. The firewall keeps separate session entries for each rule, so they don’t conflict. <BR /><A href="https://docs.paloaltonetworks.com/ngfw/networking/nat/dynamic-ip-and-port-nat-oversubscription" target="_self">https://docs.paloaltonetworks.com/ngfw/networking/nat/dynamic-ip-and-port-nat-oversubscription </A><BR /><A href="https://pingmynetwork.com/network/ccna-200-301/dynamic-nat" target="_self">https://pingmynetwork.com/network/ccna-200-301/dynamic-nat</A></P> Wed, 29 Oct 2025 23:01:23 GMT Elwin3 2025-10-29T23:01:23Z https://live.paloaltonetworks.com/t5/general-topics/clarification-needed-on-multiple-static-nat-rules-with-the-same/m-p/601423#M119553 <P>Hi Community,</P> <P>I’m working with a customer who had previously configured a dynamic IP source NAT rule with only one address in the pool. This setup worked as expected for just one PBX since after the first session, the public IP would be in use, limiting further connections.</P> <P>However, the customer has now changed the configuration to use multiple static NAT rules, all using the same public IP but for different PBXs. Surprisingly, this is working, allowing multiple sessions to be translated to the same public IP via different NAT rules.</P> <P>What we’re trying to understand is why there’s a difference in behavior between the two scenarios:</P> <OL> <LI>A single NAT rule with dynamic IP source translation using only one public IP in the pool.</LI> <LI>Multiple static NAT rules, all using the same public IP in the translated address.</LI> </OL> <P>Any insights into why these two configurations provide different results would be greatly appreciated!</P> <P>Thanks in advance!</P> Wed, 16 Oct 2024 08:29:11 GMT https://live.paloaltonetworks.com/t5/general-topics/clarification-needed-on-multiple-static-nat-rules-with-the-same/m-p/601423#M119553 TammamA 2024-10-16T08:29:11Z https://live.paloaltonetworks.com/t5/general-topics/clarification-needed-on-multiple-static-nat-rules-with-the-same/m-p/1240922#M125439 <P data-start="0" data-end="13">Hey Tammam, <BR /><BR />That’s a really good question. What you’re seeing comes down to how the firewall treats session mappings. With dynamic NAT using a single public IP, the firewall assigns that address temporarily for the first session, and since the pool only contains one IP, other internal devices can’t reuse it until the mapping is released. <BR /><BR />With multiple static NAT rules, each PBX has its own translation rule even if they all use the same public IP. The firewall keeps separate session entries for each rule, so they don’t conflict. <BR /><A href="https://docs.paloaltonetworks.com/ngfw/networking/nat/dynamic-ip-and-port-nat-oversubscription" target="_self">https://docs.paloaltonetworks.com/ngfw/networking/nat/dynamic-ip-and-port-nat-oversubscription </A><BR /><A href="https://pingmynetwork.com/network/ccna-200-301/dynamic-nat" target="_self">https://pingmynetwork.com/network/ccna-200-301/dynamic-nat</A></P> Wed, 29 Oct 2025 23:01:23 GMT https://live.paloaltonetworks.com/t5/general-topics/clarification-needed-on-multiple-static-nat-rules-with-the-same/m-p/1240922#M125439 Elwin3 2025-10-29T23:01:23Z