ARP not advertising for NAT translation

Reply
L4 Transporter

ARP not advertising for NAT translation

Hello,

 

We have BGP routing on WAN interface with WAN IP and an additional subnet ip address which is advertised by the firewall to the ISP. When we create a NAT translation from a private IP address to a public IP address from this additional subnet then we don't receive any traffic for it at all. It's not in under monitor tab. When we check BGP status, it is correctly advertising the whole subnet. However, when we create a loopback, NAT translation will start working straight away without any changes.

 

Is Palo Alto not advertising ARP for the NAT translation when this IP is not a directly connected interface? Is this an expected behaviour?

 

Thanks in Advance.

L4 Transporter

Re: ARP not advertising for NAT translation

 

I know that FW will not proxy ARP for NAT addresses only in v wire mode. What about in layer 3 mode?

 

The issue is that it appears that NAT doesn’t arp the public IP address to the ISP router. So created a loopback as a workaround.

 

Much appreciate if someone can shed some light.

 

 

Highlighted
L3 Networker

Re: ARP not advertising for NAT translation

You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped. 

Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf

 

I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.

Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.

set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32

L4 Transporter

Re: ARP not advertising for NAT translation

Thank you RFalconer for the explanation! It helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!