How to Write a Source NAT Rule Using Panorama

When creating a Source NAT rule directly on a firewall, it is common to use Interface Address as the NAT type and select an IP attached to that interface as the Source NAT address.

When using Panorama, the Interface Address does not provide any interfaces in the drop-down list.  If an interface is typed in the field, the IP address field does not allow a change from None. This is by design, because of the large potential for conflicts (each connected firewall would likely have ethernet1/1, ethernet1/2, etc.) and  of the potential for a very large list. Panorama can support over 100 devices, if licensed to do so, and each firewall can have hundreds of interfaces if sub-interfaces are included.

There are two scenarios:

1. The Firewall interface has single IP address defined.

   In this case, the NAT rule can be configured with Address Type 'Interface Address', enter the interface and leave IP address set to 'None'. When this configuration is pushed to a device, the device will use the first IP address defined on the interface to translate the traffic.

   Note: This method is only supported on single firewalls and on Active/Passive High Availability (HA) pairs. Active/Active HA does not support this type of nat rule. Apply scenario 2 (below) for Active/Active HA clusters.

   

2. The Firewall interface has multiple interfaces defined and the translated address desired is not the first defined.

   In this case, you must select Address Type "Translated Address" and manually enter the desired IP address.

   

owner: gwesson