topic Re: Test commnad on the nat policies in General Topics

Test commnad on the nat policies

costin.gherghe — Thu, 31 Oct 2013 15:02:56 GMT

Hello,

I did an upgrade from a 500 model to a 3020 model. All the configurations work just fine. The problem that I see is that I cannot test the nat-policy rules. I have the following configuration:

snat-all-LANs {

from inside;

source [ 172.30.0.0/15 192.168.0.0/16 ];

to outside;

to-interface ;

destination any;

service any/any/any;

translate-to "src: #.#.#.# (dynamic-ip-and-port) (pool idx: 1)";

terminal no;

when I do a test for the nat rule match it returns a no match result

PA-3020-CE-01> test nat-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 80 protocol 6

No rule matched

How can I find out why is there no match?

I have to mention that the NAT configuration works just fine.

Thanks,

Costin

Re: Test commnad on the nat policies

Retired Member — Thu, 31 Oct 2013 17:19:33 GMT

Did a quick test on PA-3020 and PA-200 and the test nat-policy-match command worked fine for me. I used PAN-OS 5.0.6 and 5.0.8. What PAN-OS version are you running? Perhaps you can try adding more parameters in your test command such as from zone, etc. See if that makes a difference.

-Richard

Re: Test commnad on the nat policies

costin.gherghe — Thu, 31 Oct 2013 18:35:55 GMT

Hello,

I have PAN-OS 5.0.6 installed on my device. I used for the test the source and destination zones and it identified the rule.

I also tested this on a 5050 with PAN-OS 5.0.3 and on this one the rule was identified by the "test nat-rule" without using zone parameters.

Is there any reason for this? (different OS?)

Thanks,

Costin