topic Re: no nat in General Topics

no nat

atelcom — Mon, 08 Jul 2013 09:46:49 GMT

hello

i'am configuring a paloalto firwall wish is the backward firewall,

i'm facing problem with nat , users must be integrated in the frontal firewall

users passes by paloalto firewall first then the frontal firewall, when it pass by pan their adresses changes by nat , and the frontal firewall does'nt reconginze them ,wish is a hige problem

i tried to delete nat because the outside interface of pan is also a private adress , but traffic don't pass when i do this

so i want toknow if i can allow traffic to pass without nating , or if pan has someting called (no nat) like asa and juniper

please help me to figure it out

thank's in advance

Re: no nat

kprakash — Mon, 08 Jul 2013 12:45:48 GMT

Hi Atelcom,

We do have an option to skip the NAT translation. You can specify the source address ( subnet ), the source Zone, The destination address ( subnet ) and the destination zone, and under the "Translated Packet section" select the translation type to "None", as shown in the attachment.

This is as good as not configuring a NAT policy at all. So all you need is a security policy from the inside zone of the PANFW to the outside zone of the PANFW.

You could also have a v-wire deployment on the PANFW, if the PANFW isnt on the perimeter, and use it as an IPS.

Thanks and best regards,

Karthik RP

Re: no nat

atelcom — Mon, 08 Jul 2013 13:43:03 GMT

Hi ,

thank's for your return, i did try the none nat like shown in the attachement , for any source and any destination ..but it doesn't work

i try also to delete it , and the traffic don't pass neither

Re: no nat

atelcom — Mon, 08 Jul 2013 13:44:10 GMT

i can't deploy it in vwire, cause i have to manage acces between internal zones

Re: no nat

kprakash — Mon, 08 Jul 2013 13:58:50 GMT

Atelcom,

Can you attach the screenshots of the NAT policy and the security policy in question

BR,

Karthik RP

Re: no nat

atelcom — Mon, 08 Jul 2013 14:13:12 GMT

currently i'm not at the customer and i can't access to the appliance

Re: no nat

atelcom — Mon, 15 Jul 2013 08:49:30 GMT

Re: no nat

atelcom — Mon, 15 Jul 2013 08:51:07 GMT

t tried also this, but it still does'nt work .should i add another think like an additionnal route to get it work

Re: no nat

UhMayYeah — Mon, 15 Jul 2013 09:21:09 GMT

In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.

Source-NAT on PA (if configured) would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.

Re: no nat

atelcom — Tue, 16 Jul 2013 12:30:31 GMT

Hello Nadir,

thank's for your return it was very helpful, i added a return route in the frontal firewall, and all seems to work fine

but i didn't inderstand the concept, why it doesn't reconizne traffic , it must be stateful firewall so it keep session table

thank's in advance

Re: no nat

UhMayYeah — Tue, 16 Jul 2013 13:04:42 GMT

As you have introduced a new L3 Device (PA FW) in the Network. The Frontal firewall does not know how to route back the return traffic.

Source-NAT on PA firewall was taking care of this return route earlier.