topic Re: Creating a Dynamic NAT and exclude addresses from pool in General Topics

Creating a Dynamic NAT and exclude addresses from pool

bmorrison — Mon, 26 Sep 2011 14:14:00 GMT

There are known issues online with some external sources not accepting addresses with the last octet ending in .0 or .255. Are there any known ways to exclude these addresses from a Dynamic External IP Pool?

Re: Creating a Dynamic NAT and exclude addresses from pool

nrice — Wed, 05 Oct 2011 16:01:24 GMT

Hi,

The document at this link explains how to create a NAT policy which excludes addresses from a pool:

https://live.paloaltonetworks.com/docs/DOC-1258

Re: Creating a Dynamic NAT and exclude addresses from pool

bmorrison — Wed, 05 Oct 2011 16:12:11 GMT

This looks as if it would create a "No NAT" rule for the internal addressing. I would need this to exclude addresses in the "External" addressing (Outside World). I cannot create a rule simply being a range from .1-.254 because I am creating the rule to encompass the entire /21 external subnet, and the PA will not allow multiple external ranges in the translation of a single rule, so i would not be able to break these down per /24 external subnet and create the ranges excluding the .0 and .255 addresses.

Re: Creating a Dynamic NAT and exclude addresses from pool

bpappas — Wed, 09 Nov 2011 08:25:41 GMT

have you tried to specify ranges that start @ .1 and end on .254 instead of using CIDR notation?

Re: Creating a Dynamic NAT and exclude addresses from pool

bmorrison — Fri, 11 Nov 2011 21:03:06 GMT

This would not work, because the Palo-Alto does not support multiple external ranges within one Dynamic Policy. Therefore you would only be able to create a single /24 network per policy, and that is not feasible in a system with over 10,000 internal users. Currently, the PA does not support multiple external ranges per policy, or NAT/PAT overload. This could easily be accomplished with a radio button to exempt network and broadcast addresses from the pool.