https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396914#M91432 <P>While I have not had to do this. The articles go into this using NAT when you have the same subnets on the both sides.</P> Fri, 09 Apr 2021 15:55:04 GMT OtakarKlier 2021-04-09T15:55:04Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396852#M91415 <P>Hi Everyone,&nbsp;</P><P>&nbsp;</P><P>I am struggling to solve a problem NAT issue and need some help.&nbsp;I need to configure May-to-Many NAT on Palo Alto Firewall&nbsp; between two data centers. I have three /25 IPv4 subnets which needs to be mapped to three /25 subnets (subnet to subnet basis if not one to one IP basis) and three IPv6 /40 subnets needs same treatment. Traffic is expected to come from both direction inside to outside and outside to inside on specified TCP, UDP and ICMP ports. I have PA3220 which has been upgraded to PAN OS 9.0 and I will applicate if you can suggest best way to achieve this? Do I need to consider any resource limitation as I have three /25 IPv4 and three /40 IPv6 subnets which can overwhelm the resource?&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>RT</P> Fri, 09 Apr 2021 13:01:53 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396852#M91415 rthakker 2021-04-09T13:01:53Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396893#M91422 <P>Hello,</P> <P>How are the two data centers connected? Just curious as to why you need the NAT?</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 09 Apr 2021 15:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396893#M91422 OtakarKlier 2021-04-09T15:00:15Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396907#M91428 <P>Yes they are connected but part of Migration work and removing Overlapping addresses requires NAT.&nbsp;</P> Fri, 09 Apr 2021 15:34:40 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396907#M91428 rthakker 2021-04-09T15:34:40Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396911#M91429 <P>Hello,</P> <P>Please check out these articles and see if they help out.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLTlCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLTlCAO</A></P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/overlapping-subnets-in-virtual-router-and-nat/m-p/199902#M59180" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/overlapping-subnets-in-virtual-router-and-nat/m-p/199902#M59180</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Fri, 09 Apr 2021 15:44:01 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396911#M91429 OtakarKlier 2021-04-09T15:44:01Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396912#M91430 <P>Thank you for the prompt reply. I will check your suggested solution. In the meantime please could you tell me if it possible to solve by NAT or its impractical?&nbsp;&nbsp;</P> Fri, 09 Apr 2021 15:53:00 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396912#M91430 rthakker 2021-04-09T15:53:00Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396914#M91432 <P>While I have not had to do this. The articles go into this using NAT when you have the same subnets on the both sides.</P> Fri, 09 Apr 2021 15:55:04 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396914#M91432 OtakarKlier 2021-04-09T15:55:04Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396916#M91433 <P>I do have similar challenges due to migration work hence wanted to employ NAT as traffic is expected both ways between subnets hence NAT seems good option.&nbsp; &nbsp;</P> Fri, 09 Apr 2021 16:07:05 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/396916#M91433 rthakker 2021-04-09T16:07:05Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/397095#M91451 <P>All,</P><P>&nbsp;</P><P>I have noticed when Destination NAT configured for IPs which aren't configured on Firewall packets are being dropped so /25(IPv4)&nbsp; and /40(IPv6). If I add subnet as a Loopback interrace on firewall then NAT works. I tried using static discard route (Null route) but its not solving the issue. I am guessing its proxy-arp issue or is it something else? Any other way to solve the issue?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 11 Apr 2021 14:51:11 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/397095#M91451 rthakker 2021-04-11T14:51:11Z https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/397233#M91466 <P>I would do this using several NAT rules (one for each subnet).&nbsp; See the third example on the static NAT section for use with subnets.&nbsp; (I have also configured and tested this in the past)</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat.html</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Apr 2021 15:06:44 GMT https://live.paloaltonetworks.com/t5/general-topics/many-to-many-nat-both-direction/m-p/397233#M91466 Chris_Johnston 2021-04-12T15:06:44Z