https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/182443#M56190 <P>Hi mgarg, Thank you for reply.</P><P>&nbsp;</P><P>Since the router is a virtual router NAT in VMWare Workstation, I am currently unable to find the solution to add the static routing. Therefore, I should implement the virtual router myself (e.g. using Ubuntu VM). By the way, your solution works as expected!</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 18 Oct 2017 01:46:03 GMT hibagus 2017-10-18T01:46:03Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181935#M56104 <P>Dear all,</P><P>&nbsp;</P><P>I am a newbie and currently at the first phase to learn Palo Alto Firewall. I am setting-up a simple virtual network topology using VMWare Workstation as follows.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Drawing1.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11947i153E82B905CD068E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Drawing1.png" alt="Drawing1.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>As you can see from the diagram, there are two zones which are labeled as Trust and Untrust with network 192.168.250.0/24 and 192.168.150.0/24 respectively. The ETH1/1 is facing to the Trust Zone and has IP address 192.168.250.10 where the ETH1/2 is facing to the Untrust Zone and has IP address 192.168.150.10.</P><P>&nbsp;</P><P>My first approach for basic configuration is as follows.</P><P>1. Configure the Management Interface on 192.168.100.10. I can access it both from web browser and from SSH on Management PC.</P><P>2. Configure ETH1/1 and ETH1/2 IP address</P><P>3. Create Zone labeled as Trust and Untrust then assign them to ETH1/1 and ETH1/2 respectively.</P><P>4. Create Virtual Router named Default for ETH1/1 and ETH1/2 and set a static route&nbsp;as follows</P><P>- Name: Default</P><P>- Destination: 0.0.0.0/0</P><P>- Interface: None</P><P>- Next Hop: IP Address 192.168.150.2</P><P>- Metric: 10</P><P>- Route Table: Unicast</P><P>5. Add new Security Policies as follows</P><P>- Name: Internet Access</P><P>- Type: Universal</P><P>- Source: Zone Trust, Address Any, User Any, HIP Profile Any</P><P>- Destination: Zone Untrust, Address Any</P><P>- Application: Any</P><P>- Service: Any</P><P>- Action: Allow</P><P>- Profile: None</P><P>6. Add new NAT Policies as follows</P><P>- Name: Default</P><P>- Source: Zone Trust, Address Any, Service Any</P><P>- Destination: Zone Untrust, Address Any, Service Any</P><P>- Source Translation: Dynamic IP and Port, Interface ETH1/2, IP 192.168.150.10/24</P><P>- Destination Translation: None</P><P>&nbsp;</P><P>With this configuration, the Trust PC can access internet. Moreover, using the CLI on the PA-VM, I can ping 8.8.8.8 from both side.</P><P>ping source 192.168.150.10 host 8.8.8.8</P><P>ping source 192.168.250.10 host 8.8.8.8</P><P>&nbsp;</P><P>My question is, can I achieve the same without using NAT? I just want to configure the firewall without NAT so that I can demonstrate the access policy between the Untrust PC to access some resource in Trust PC. When I disable the NAT policy, I cannot ping the 8.8.8.8 from 192.168.250.10 side but I can ping the 8.8.8.8 from 192.168.150.10 side.</P><P>&nbsp;</P><P>Any help would be highly appreciated</P><P>Thank you.</P><P>&nbsp;</P><P>Sincerely,</P><P>Bagus.</P> Sun, 15 Oct 2017 11:36:00 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181935#M56104 hibagus 2017-10-15T11:36:00Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181966#M56111 <P>the reason why you are not able to get to internet, once you disable the nat policy , is because your modem does not know how to reach 192.168.250.0/24 network for the return packet and hence it would drop it.</P><P>&nbsp;</P><P>Add route on your modem to route traffic for 192.168.250.0/24 to 192.168.150.10</P> Wed, 18 Oct 2017 00:43:59 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181966#M56111 mgarg 2017-10-18T00:43:59Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181967#M56112 <P>Add a static route to your modem.</P><P>&nbsp;</P><P>192.168.250.0/24. Via 192.168.150.10</P> Sun, 15 Oct 2017 20:27:30 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/181967#M56112 Mick_Ball 2017-10-15T20:27:30Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/182443#M56190 <P>Hi mgarg, Thank you for reply.</P><P>&nbsp;</P><P>Since the router is a virtual router NAT in VMWare Workstation, I am currently unable to find the solution to add the static routing. Therefore, I should implement the virtual router myself (e.g. using Ubuntu VM). By the way, your solution works as expected!</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 18 Oct 2017 01:46:03 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-palo-alto-firewall-without-nat-policy/m-p/182443#M56190 hibagus 2017-10-18T01:46:03Z