topic Re: 1-to-1 NAT in General Topics

1-to-1 NAT

ddavis1 — Tue, 25 Feb 2014 15:42:07 GMT

Ok need some help. I have a 1-to-1 NAT that is not working. Monitor-Traffic shows the Application as incomplete.

NAT Policy

Security Policy

Monitor

Re: 1-to-1 NAT

HULK — Tue, 25 Feb 2014 17:34:24 GMT

Hello Sir,

As per above screenshot, i hope you have configured Many-to-one Destination NAT. Could you please let me know, the address object "TEST PC RDP Private x.x.x). is a subnet or a single IP address...?

Could you please enable below mentioned option on traffic logs for better understanding:

Thanks

Re: 1-to-1 NAT

HULK — Tue, 25 Feb 2014 17:51:45 GMT

Adding one more information here:

Incomplete in the application field:

Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.

FYI: KB article-Incomplete, Insufficient data and Not-applicable in the application field

Thanks

Re: 1-to-1 NAT

StefanvanHattum — Fri, 28 Feb 2014 19:04:23 GMT

I have the same issue as the OP. I hope someone has an answer. I'll keep an eye on this thread.

I don't know your configuration but I'm running a PA-VM on Esxi 5.5 with Promiscuous mode accepted on the vswitches in esxi.

Also tried PANOS 5.0.11 and PANOS 6.0 both has same results.

Re: 1-to-1 NAT

ddavis1 — Fri, 28 Feb 2014 19:18:38 GMT

I was able to get mine to work. My issue was not paying attention. When i created the address object i put the correct IP in the description but fat-fingered that actual IP. So at a glance it looked correct. Below are some pics of my working 1-to-1 NAT. If you click the image it will enlarge.

NAT:

Security:

Re: 1-to-1 NAT

ddavis1 — Fri, 28 Feb 2014 19:28:07 GMT

I hope this helps. I know some may look odd where you see destination as WAN but i did verify with my PA rep that it is correct.

Security Policy

Re: 1-to-1 NAT

ddavis1 — Fri, 28 Feb 2014 19:30:42 GMT

Sorry forgot one image

Re: 1-to-1 NAT

StefanvanHattum — Sat, 01 Mar 2014 16:57:19 GMT

I had the NAT and security policy already setup exactly the same way, according to the student books

Also checked the objects and the ip-addresses all are good.

I have even added an extra NIC to the ESXi server and set the eth1/2 port to the new interface (promiscuous mode accept) so that the management interface and the data interface eth1/2 are on seperate nics but the same LAN.

But it still gives an incomplete.

It has something to do with the PA, because I have a PFSense firewall running on a different external IP address and the static NAT rules on that are working perfect.

I was planning to replace my PFSense for the VM-PA also to get some more hand-on experience as we are placing some PA's in the network at my work, but if I don't get the NAT working then I'll stick to PFsense.

Re: 1-to-1 NAT

HULK — Sun, 02 Mar 2014 02:53:52 GMT

Hello StefanvanHattum ,

If you are facing any problem with your PA-VM and could not identify the root cause of the issue, please open a ticket with PAN support and let us know what a good time would be to get together and continue to work on the network. Our number one priority is to ensure that everything is running smoothly at your site, and, minimize any business impact, the problem caused.

Thanks

Re: 1-to-1 NAT

Tjempeng — Sun, 02 Mar 2014 17:18:55 GMT

Hi Hulk,

thank you.

I ahve created a case at support.

Mind you that this is not impacting any business, this is just a test setup at home for learning purposes.

And I was planning to replace my PFSense, but I don't think I'm going to do that as there is no good way to get Xbox live to work

Regards,

Stefan.