Routing IP address range through firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Routing IP address range through firewall

L0 Member

As somewhat of a newby to PAN, I need to ask how do I go about passing an internal public IP range outbound through the firewall and NOT natting it.  This certain range of addresses will only connect to one other public IP address (different, external network) but the other address needs to be able to see these internal IP 's for what they are and not be natted.

Thanks!  Mike

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Mike,

You can exempt certain IP's or subnets from NAT by keeping the Source and Destination Translation fields as "none"

no-nat.jpg

Cheers,

Kelly

View solution in original post

7 REPLIES 7

L4 Transporter

Hi Mike,

You can exempt certain IP's or subnets from NAT by keeping the Source and Destination Translation fields as "none"

no-nat.jpg

Cheers,

Kelly

Yeah, this sounds like what I need to do.  If I set the source address to that of my internal range and the destination address to that of my target server, then the "no-natting' should only occur between those two sets of addresses, right?  Any extra Security policy rules needed( (other than what I already have in place)?

You got it.  You shouldn't need any other policy entries beyond what you would normally have in your Security Policy to allow the two segments to communicate.

Cheers,

Kelly

Should that new NO NAT rule be placed above the normal outbound PAT rule everyone else on the network is using?

Absolutely - all policy rules are evaluated top down and terminate on match.

Cheers,

Kelly

L4 Transporter

mwaters31 wrote:

As somewhat of a newby to PAN, I need to ask how do I go about passing an internal public IP range outbound through the firewall and NOT natting it.  This certain range of addresses will only connect to one other public IP address (different, external network) but the other address needs to be able to see these internal IP 's for what they are and not be natted.

Thanks!  Mike

Are your "internal" addresses RFC1918, and your external "live" Internet addresses? If so, I don't see how you're going to get your "inside" addresses routed by your external provider - ISP edge routers should be configured, by default, to drop anything from or two an RFC 1918 address range.

Enquiring mind wants to know. 🙂

If your "internal" adresses are live, routable addresses then my question is probably invalid - also similarly invalid if your "external" link is some form of point-to-point link which only uses RFC1918 addressing in the path.

Cheers

The internal addresses of which I speak are in fact, live public addresses.  These are a small network that is part of a VPN server in which the server hands out addresses in this range to remote(Internet) clients that request them.  These addresses are then used to connect to the target IP address I mentioned earlier.

We were having some issues where when two or more vpn clients were connected, each one would lose its connection every 30 seconds, then regain it again.  Another agency (we are a city) had experienced the same issue and they resolved it by removing the natting their firewall was doing for their vpn clients.

Funny thing is, after I inserted the new "no nat" rule, I still wasn't seeing any traffic matching the rule in the Traffic logs.  The client "problem" had seemed to go away as well.  Success I thought.  Then I thought I would disable the new no nat rule to see if I could make the problem occur again.  Well, the problem didn't occur again and the clients kept operating normally.  So now I don't know if the new rule did anything or not.  Weird.

  • 1 accepted solution
  • 3552 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!