https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240737#M68955 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>thank you for the reply,</P><P>&nbsp;</P><P>My goal here is to create Nat rule for two internal servers that go out using the same external IP,</P><P>&nbsp;</P><P>Only for outbound direction no bi-directional.</P><P>&nbsp;</P><P>I tried to use their IP address /32 and also for the static IP /32 without success.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nat rule fail.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17614iF8BF358EFE7AB569/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="nat rule fail.jpg" alt="nat rule fail.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Nov 2018 15:36:26 GMT SShnap 2018-11-21T15:36:26Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240655#M68935 <P>Hi all,</P><P>&nbsp;</P><P>I'm trying to create Nat rule for source translate when the source is address group and it will not be bi-directional.</P><P>&nbsp;</P><P>The address group include 2 address from objects.</P><P>The source translate is Static-IP tried to put object and specifric IP address with subnet (/32)</P><P>&nbsp;</P><P>I keep receiving the following error, also tried to use two-source address instead of address group with success.</P><P>&nbsp;</P><P>I'm on PANOS 8.1.1</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Nat rule error.jpg" style="width: 670px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17609i5E84F865080C65E9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Nat rule error.jpg" alt="Nat rule error.jpg" /></span></P> Tue, 20 Nov 2018 23:30:04 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240655#M68935 SShnap 2018-11-20T23:30:04Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240666#M68936 <P>If you have&nbsp; more than 1 IPs on one side then&nbsp; you have to have same amount at other side to use static nat.</P><P>Static nat leaves port number the same so if source sends traffic out from port 1234 then after static nat source port is still 1234.</P><P>In case of&nbsp;Dynamic IP And Port option source port is changed so multiple source IPs can be behind one IP.</P><P>&nbsp;</P><P>In your case you have to use&nbsp;Dynamic IP And Port option.</P> Wed, 21 Nov 2018 03:12:40 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240666#M68936 Raido_Rattameister 2018-11-21T03:12:40Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240702#M68941 <P>This will work (bi-directional static nat for a bunch of ip&nbsp;addresses) only if you set your original source addresses to a subnet (not a group object) and the subnet mask needs to exactly match the translation subnet</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bidir static subnet.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17610i603E37D6E89BE460/image-size/large?v=v2&amp;px=999" role="button" title="bidir static subnet.png" alt="bidir static subnet.png" /></span></P> Wed, 21 Nov 2018 09:09:42 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240702#M68941 reaper 2018-11-21T09:09:42Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240737#M68955 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>thank you for the reply,</P><P>&nbsp;</P><P>My goal here is to create Nat rule for two internal servers that go out using the same external IP,</P><P>&nbsp;</P><P>Only for outbound direction no bi-directional.</P><P>&nbsp;</P><P>I tried to use their IP address /32 and also for the static IP /32 without success.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nat rule fail.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17614iF8BF358EFE7AB569/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="nat rule fail.jpg" alt="nat rule fail.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Nov 2018 15:36:26 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240737#M68955 SShnap 2018-11-21T15:36:26Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240741#M68957 <P>In this case you can't use static-ip.</P><P>Choose "<SPAN>Dynamic IP And Port" from droppdown.</SPAN></P> Wed, 21 Nov 2018 15:57:12 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240741#M68957 Raido_Rattameister 2018-11-21T15:57:12Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240744#M68959 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>, for the dynamic IP and port it allows my to apply that Nat rule.</P><P>&nbsp;</P><P>How it will behave if those servers are exhcnage servers in DAG design and the outbound traffic is 25 SMTP.</P><P>&nbsp;</P><P>Does the smtp traffic will work on the other end? sending emails out?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Nov 2018 16:03:11 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240744#M68959 SShnap 2018-11-21T16:03:11Z https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240758#M68962 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>Email systems really don't care about the source-port the traffic is coming from; the traffic just need to hit and open port on the other end.&nbsp;</P> Wed, 21 Nov 2018 17:29:16 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-create-nat-rule-using-more-than-one-source-address/m-p/240758#M68962 BPry 2018-11-21T17:29:16Z