https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/77872#M42736 <P>HI</P> <P>&nbsp;</P> <P>We have exact same scenario, but rather than doing the NAT with the ip address of the interface, we need to nat with 1 of the ip address which is the same range with FW sub interface (untagg).</P> <P>&nbsp;</P> <P>What we are trying to do is PA firewall running multiple VSYS, each VSYS will share one physical interface with multiple untagg subinterfaces, and each VSYS to get 1 public ip each from the same range. Also some of the extra remaining public IP address we need to perform 1 to 1 NAT.</P> <P>&nbsp;</P> <P>1 to 1 NAT works fine when public ip address is configured on main interface of fw with untag, NAT doesn't work anymore when we move public ip to sub interface(untagg). However, communication from multiple VSYS with untag sub interface still can communicate with outside world via ip address assigned on untag sub interfaces.</P> <P>&nbsp;</P> <P>Please could you help ? Thanks</P> Tue, 10 May 2016 21:48:45 GMT sailwinthu 2016-05-10T21:48:45Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/48062#M35345 <HTML><HEAD></HEAD><BODY><P>I'm trying to set up a fairly simple configuration where we have our separate wired and wireless networks connecting to the internet via one shared interface eth1/1</P><P></P><P>Basically, I am attempting to replicate the configuration here <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1884">https://live.paloaltonetworks.com/docs/DOC-1884</A> (but with only 2 local networks, not 3). This document stresses that explicit NAT rules must be set up, but does not give an example on how to do this.</P><P></P><P>I have set up untagged sub interfaces, the virtual routers, policies and what I believe to be the correct NAT policies. I know these are correct because if I only set up one sub interface everything is OK.</P><P></P><P>As soon as I set up a second subinterface and hook it up to the virtual router, traffic stops flowing. <STRONG>I am assuming that is because I have not created the NAT policy correctly</STRONG>.</P><P></P><P>Please can somebody provide an example NAT policy for an untagged subinterface.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 16 Jul 2012 13:20:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/48062#M35345 CATSatIDS 2012-07-16T13:20:51Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/48063#M35346 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">Without source NAT, untagged subinterfaces will not work.&nbsp; We have to map traffic to a particular zone/vsys based on the destination of that packet (it must match a subinterface IP address).&nbsp; Please refer to following doc in order to configure right NAT rules for untagged subinterfaces. Please let us know if that helps.</SPAN></P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2781">https://live.paloaltonetworks.com/docs/DOC-2781</A></P></BODY></HTML> Thu, 13 Sep 2012 00:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/48063#M35346 snisar 2012-09-13T00:38:24Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/77872#M42736 <P>HI</P> <P>&nbsp;</P> <P>We have exact same scenario, but rather than doing the NAT with the ip address of the interface, we need to nat with 1 of the ip address which is the same range with FW sub interface (untagg).</P> <P>&nbsp;</P> <P>What we are trying to do is PA firewall running multiple VSYS, each VSYS will share one physical interface with multiple untagg subinterfaces, and each VSYS to get 1 public ip each from the same range. Also some of the extra remaining public IP address we need to perform 1 to 1 NAT.</P> <P>&nbsp;</P> <P>1 to 1 NAT works fine when public ip address is configured on main interface of fw with untag, NAT doesn't work anymore when we move public ip to sub interface(untagg). However, communication from multiple VSYS with untag sub interface still can communicate with outside world via ip address assigned on untag sub interfaces.</P> <P>&nbsp;</P> <P>Please could you help ? Thanks</P> Tue, 10 May 2016 21:48:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-nat-for-untagged-subinterfaces/m-p/77872#M42736 sailwinthu 2016-05-10T21:48:45Z