Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Configure NAT for a Network Not Connected to the Firewall - Knowledge Base - Palo Alto Networks

How to Configure NAT for a Network Not Connected to the Firewall

134577
Created On 09/25/18 17:36 PM - Last Modified 01/30/25 21:13 PM


Environment


  • Palo Alto Networks Firewall
  • NAT Configured

Procedure


Issue

The Palo Alto Networks firewall drops any inbound packets destined for a public IP that doesn't exist on the device or have a route for it in the Virtual Router. Configuring Network Address Translation (NAT) for an IP address that doesn't exist on any interface on the firewall requires an extra step.

Note: For this scenario, it is assumed that there is a route for the specified IP address to perform for NAT that points to the firewall's untrust interface. This is normally handled by an upstream device or by the ISP, and ensures that the return traffic returns properly to the firewall's untrust interface.

 

Resolution

There are three possible solutions for this issue:

  1. Configure a route for the destination IP to go through untrust interface.
    Network > Virtual Routers > choose the virtual router Name > Static Routes
    Add a new route:
    doc-4034-1.png
    Why configure the false route? When the packet arrives on the Palo Alto Network firewall, a Layer 3 lookup is done. The NAT takes place when the L3 address is resolved, If a Destination NAT is configured, then another L3 lookup is performed (as the destination has changed) and finally the policy lookup is done. If a packet arrives for a destination that's not on the Palo Alto Network firewall, and there's no route for it, it'll be dropped. Configuring the false route prevents this from happening.
     
  2. Create a secondary IP address on the network of this new destination NAT IP or the IP itself.
    Example: If 70.1.1.1/24 is on Ethernet1/3 (Untrust), and destination NAT needs to be configured for 70.1.2.22, add either the IP address 70.1.2.22/32, or an IP in the network (70.1.2.1/24 for example) as a secondary IP on the Untrust interface.
    This will tell the firewall that this network exists on this firewall, and it will know how to route traffic properly.
     
  3. You can also apply the IP address to a Loopback interface, as this will accomplish the same function as adding a secondary IP on an interface.

 

NAT Rules Configuration

Bi-directional NAT:

  • Configure a false route for that IP to go through the Untrust interface.
  • NAT details

Source Zone: Trust

Dest Zone: Untrust

Source IP: Private IP

Dest IP: Public IP (which is not under the Untrust subnet)

 

Destination NAT:

  • Configure a false route for that IP to go through the Untrust interface.
  • NAT details

Source Zone: Untrust

Dest Zone: Untrust

Dest IP: Public IP

Dest Translation: Private IP

 

owner: jdelio
Other users also viewed:
Updating results
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language