DotW: Unexpected Proxy ARP from NAT Policy

by Community Manager on ‎06-13-2016 05:14 AM - edited on ‎06-13-2016 11:30 AM by (7,655 Views)

In this week's Discussion of the Week, we will be taking a closer look at a remark posted by user msullivan regarding proxy ARP and its expected behavior.

 

2016-06-13_13-14-21.jpg

 

Depending on the way NAT is configured on the Palo Alto Networks firewall, proxy ARP may act differently:

 

When a generic 'hide' NAT (many to one) policy is configured, the most straightforward option is to set the translation action to dynamic-ip-and-port and select the external interface.

 

Even though the interface may have been configured with a subnet mask, the NAT rule will limit all outbound NAT to be translated behind the firewall's interface IP as a /32 subnet. The advantage is that this type of rule is easy to configure and the MAC address should already be known by the upstream router by simple broadcast, as the interface will respond to ARP requests for its configured IP address.

2016-06-13_13-34-57.jpgThis policy will simply translate all sessions from trust to untrust behind 198.51.100.241 and assign a random source port.

 

Things change if the interface is not selected as a 'translation template', but a free subnet is entered by the administrator. 

 

Comments
by ceinkorn
on ‎10-04-2016 02:28 PM

I ran into this because I normally create Interface-address rules.  However, you cannot use Interface-address when doing Active/Active L3 and when I converted these to Translated-address I re-used the interface IP objects which had the /26 subnet-mask.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors