topic Re: NAT translation help in General Topics

NAT translation help

GIT_Sean — Fri, 15 Feb 2019 17:30:03 GMT

For the life of me I can't figure out something that should be simple. I'm having a problem with a nat translation setup. Here is the requirement:

I have various computers/devices on several IP addresses and different subinterfaces, for example:

Device 1:

IP address: 10.47.5.21

Subinterface: Ethernet1/1.5

Zone: Control_NET

Device 2:

IP address: 10.47.20.50
Subinterface: Ethernet1/1.20

Zone: Server_NET

I need to NAT these devices to another range, in this example, to 172.221.16.32/28 range. So it should go like this:

10.47.5.21 <-> 172.221.16.32

10.47.20.50 <-> 172.221.16.42

...

The reason for this is I have a customer that has a site-to-site VPN connection and will only be looking at the 172.221.16.32/28 range. What sort of NAT translation do I need to do? I've tried the following and it's not working:

Re: NAT translation help

OtakarKlier — Fri, 15 Feb 2019 18:03:10 GMT

Hello,

Do you have corresponding security policies to allow the traffic? The logs should show if/why the traffic is getting blocked. This is just the NAT part of it. Also check routing?

Just some thoughts.

Re: NAT translation help

GIT_Sean — Fri, 15 Feb 2019 18:22:55 GMT

I believe so. I have an allow policy with Control_Net and Server_Net as the source zone and the VPN as the destination zone, and a corrisponding allow policy with the VPN as the source zone and Control_Net and Server_Net as the destination zone. I'm not sure if this is the right way as the Control_Net zone is for the 10.47.5.0/24 addresses and the Server_Net zone is for 10.47.20.0/24 addresses. Where do I place a security policy that allows traffic to/from the NAT range of 172.16.221.32/28? Do I need to devine a zone for the NAT range, and if so, how do I go about it?

Re: NAT translation help

GIT_Sean — Fri, 15 Feb 2019 20:04:19 GMT

What I am trying to do is replicate the following rules that are currently in an old Cisco 2901 router that I am replacing with the PA-220:

ip nat inside source static 10.47.5.22 172.16.221.33 route-map 2EDF

ip nat inside source static 10.47.5.21 172.16.221.34 route-map 2EDF

ip nat inside source static 10.47.28.100 172.16.221.35 route-map 2EDF

ip nat inside source static 10.47.20.22 172.16.221.36 route-map 2EDF

ip nat inside source static 10.47.20.5 172.16.221.37 route-map 2EDF

ip nat inside source static 10.47.20.11 172.16.221.38 route-map 2EDF

ip nat inside source static 10.47.20.12 172.16.221.39 route-map 2EDF

ip nat inside source static 10.47.20.26 172.16.221.40 route-map 2EDF

ip nat inside source static 10.47.20.27 172.16.221.41 route-map 2EDF

ip nat inside source static 10.47.20.50 172.16.221.42 route-map 2EDF

ip nat inside source static 10.47.20.51 172.16.221.43 route-map 2EDF

access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.200.0 0.0.0.255

access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.202.0 0.0.0.255

access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.207.0 0.0.0.255

access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.208.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

route-map 2EDF permit 10

match ip address 105

I've tried about every combination of NAT rule, Zone config, Security Policy, and virtual router static route that I can think of and I cannot figure it out. With the above rules on the old router, I can ping from, say, a server at 10.47.20.50 to the natted IP of another server on the local network such as 172.16.221.43 (that is mapped to 10.47.20.51). I can't for the life of me get this to work on the PA-220. Also, the other end of the VPN can ping from one of their subnets to the 172.16.221.32/28 range successfully when the VPN is active on the old CIsco router.