https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121361#M46031 <P>Thank you RFalconer for the explanation! It helps.</P> Tue, 25 Oct 2016 23:02:35 GMT Farzana 2016-10-25T23:02:35Z https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/120687#M45960 <P>Hello,</P><P>&nbsp;</P><P>We have BGP routing on WAN interface with WAN IP and an additional subnet ip address&nbsp;which is advertised by the firewall to the ISP. When we create a NAT translation from a private IP address to a public IP address&nbsp;from this additional subnet then we don't receive any traffic for it at all. It's not in under monitor tab. When we check BGP status, it is correctly advertising the whole subnet. However, when&nbsp;we create a loopback, NAT translation will start working straight away without any changes.</P><P>&nbsp;</P><P>Is Palo Alto not advertising ARP for the NAT translation when this IP is not a directly connected interface? Is this an expected behaviour?</P><P>&nbsp;</P><P>Thanks in Advance.</P> Mon, 24 Oct 2016 06:32:33 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/120687#M45960 Farzana 2016-10-24T06:32:33Z https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121052#M46010 <P>&nbsp;</P><P><SPAN>I know that FW&nbsp;will not proxy ARP for NAT addresses only in v wire mode. What about in layer 3 mode?</SPAN></P><P>&nbsp;</P><P><SPAN>The issue is that it appears that NAT doesn’t arp the public IP address to the ISP router. So&nbsp;created a loopback as a workaround.</SPAN></P><P>&nbsp;</P><P><SPAN>Much appreciate if someone can shed some light.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Oct 2016 05:37:46 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121052#M46010 Farzana 2016-10-25T05:37:46Z https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121333#M46030 <P>You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped.&nbsp;</P><P>Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.</P><P><A href="https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf" target="_blank">https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf</A></P><P>&nbsp;</P><P>I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.</P><P>Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.</P><P>set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1<BR />set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10<BR />set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32</P> Tue, 25 Oct 2016 21:01:45 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121333#M46030 RFalconer 2016-10-25T21:01:45Z https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121361#M46031 <P>Thank you RFalconer for the explanation! It helps.</P> Tue, 25 Oct 2016 23:02:35 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-not-advertising-for-nat-translation/m-p/121361#M46031 Farzana 2016-10-25T23:02:35Z