topic Re: Natting to ip address which is not binded to any interface in General Topics

Natting to ip address which is not binded to any interface

nitesharbale — Wed, 04 Mar 2020 11:58:04 GMT

Hello Everyone,

I want to nat traffic going from dmz zone to wan zone. I want to nat ip (172.16.16.16&172.16.17.17-dmz zone) to use nat ip 200.0.0.1 which is not configured to any interface. I am unable to perform this. Please find below snap.

1)Interface IP addresses.

2)NAT rule

3)Security Policy

4)Topology

On R2 when i debug ip address i can see 200.0.0.1 ip but from R3 i cannot telnet

Please let me know what am i missing ?

Re: Natting to ip address which is not binded to any interface

SutareMayur — Wed, 04 Mar 2020 13:22:51 GMT

@nitesharbaleWhat are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

Mayur

Re: Natting to ip address which is not binded to any interface

nitesharbale — Wed, 04 Mar 2020 14:27:06 GMT

Hi Mayur,

Please find the answers below. Let me know if anything else required

Q1)What are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

Ans i cannot see traffic logs. i think i requires license. There is single WAN interface which is connected to R2. Security policy and nat rule are in snap posted earlier.

2)Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

172.16.1.2/24--R3 interface ip connected to PA , (172.16.16.16/32, 172.16.17.17/32---R3 loopback) . All are in same zone i.e DMZ

3)Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

Re: Natting to ip address which is not binded to any interface

SutareMayur — Wed, 04 Mar 2020 15:04:08 GMT

@nitesharbalePlease verify traffic using test command and see if matching correct Security policy, NAT and Route.

Mayur

Re: Natting to ip address which is not binded to any interface

OtakarKlier — Thu, 05 Mar 2020 18:14:18 GMT

Hello,

This is possible as long as the PAN knows where to route the traffic. I didnt review the config, but as stated, check the logs and see where/if the policies are getting applied and or traffic getting blocked.

Regards,

Re: Natting to ip address which is not binded to any interface

OwenFuller — Thu, 05 Mar 2020 19:34:00 GMT

If you are doing a source NAT with an address of 200.0.0.1, but this is not the subnet between your firewall and WAN router (R2). How are you going to get a reply back from R2 like this?

Re: Natting to ip address which is not binded to any interface

jeremy.larsen — Thu, 05 Mar 2020 20:25:12 GMT

Do you have a route on R2 pointing back to the PAN with this address? Also, since the IP has no interface associated with it you may have to put in what I call a "ghost route" to make sure your zones align properly. Add a route with an interface value and next hop value of "none" to assign the proper zone.