I stumbled upon a small problem with Netscreen Destination NAT.
Netscreen supports multiple objects in the "Destination Adress"-field when doing destination NAT. Palo Alto only supports 1-to-1 Destination NAT.
The problem occurs when migration tool creates the rules the same way as Netscreen would, but when you push the policy you get error message:
Error: nat rule 'test': Mismatch of destination address translation range between original address and translated address
Error: Failed to parse nat policy
Here is an example:
And here is an example of a rule that gets converted wrong by migration tool:
set policy id 1 from "internet" to "Untrust" "Net_10.2.4.0" "192.168.70.3" "SSH" nat dst ip 10.200.200.200 permit log set policy id 1 set src-address "Net_10.2.1.0/29" set src-address "Net_10_2_3.0/29" set dst-address "192.168.70.1" set dst-address "192.168.70.2" set service "TCP_9000" set service "TCP_9001" set log session-init
Is it possible to get migration tool to split the rules by destination address, or if not maybe get a warning that this rule needs to be manually edited?
Big thanks so far!
Solved! Go to Solution.
Thanks for the good explanation of the issue. We opened a bug and feature request. I will update this threat as soon we get something. Thanks
Fix just released, please try to update to 3.3.1 and if you can provide feedback if now its fixed or we need to do something else :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!