Help needed on Inbound NAT

Reply
L2 Linker

Help needed on Inbound NAT

Hello,

I need to configure a NAT from a Cisco PIX with config below to PAN. I configured NAT on PAN but the NAT doesn't seem to work

PIX Config:

static (inside,outside) webpublicip 172.16.10.10 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.10.10 172.16.10.10 netmask 255.255.255.255 0 0

PAN config

NAT rule: Source Zone-> Outside, Des Zone->Outside, Source- Any, Destination-> webpublicip and in the translated packet Destination-> 172.16.10.10
Security rule: Source Zone-> Outside, Des Zone->Inside,  Source- Any, Destination-> webpublicip
In monitor traffic log, i do a filter on webpublicip but it says no NAT applied and we can't access this web server from Internet.

Note that the outside interface on PAN is on a private IP

Would appreciate your help on this.

thanks

L5 Sessionator

Re: Help needed on Inbound NAT

Since your outside interface on the PAN is a private IP, you can configure a loopback address (and associated VR) using your WebPublicIP and assign it to the "outside" zone. You will want your external router to have a route statement directing traffic bound for WebPublicIP to be sent to the private IP on the outside interface. The NAT and Security policies you configured for the PAN should then work. 

L2 Linker

Re: Help needed on Inbound NAT

Hello

You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?

In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none?

Do i need any other static routes on PA to route to the 172.16.0.0 networks?

In this case, we are just replacing a PIX, so they have the inbound static route already.

thanks

L5 Sessionator

Re: Help needed on Inbound NAT

Answers are inline.

You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?   Yes.

In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none? None.

Do i need any other static routes on PA to route to the 172.16.0.0 networks?  Since it is directly conected, you don't need a static route.

In this case, we are just replacing a PIX, so they have the inbound static route already.

thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!