AWS NAT not coming back

L1 Bithead

AWS NAT not coming back


I tried to setup the nat, I can see my NAT and Security rule are being hit, but traffic is not flowing


Bundle 1

Interface Swap (tested this with no swap too, and it didn;t work)

All of the 3 interfaces disabled src destination

all of them same sg,

eth0 and eth1 are on the same subnet (public) with a route to igw

eth0 and eth1 both have a elastic ip attached


eth2 is on the private subnet, route points to eth2

Server is on the same subnet as eth2


DHCP seems to pick up the proper IPs (internal ips)


My nat rule

Source: Trust -> Untrust
Destination ethernet1.1

source: any

destination: any

service any

Source Translation: dynamic ip and port <<PRIVATE IP ADDRESS of eth1>>


Hit count: over 2000+


For my security rule

Universal, any, any, any .. any, allow. Hit count 3000+ 


Monitor shows "aged out", allowed, so it the traffic flows one way, but it doesn't come back!


Attached is a screenshot, the internal machine ( pings google is my eth1 "untrust" 


Thanks in advance


Screen Shot 2019-11-13 at 10.03.52 PM.png



Here's a request to google port 80


Screen Shot 2019-11-13 at 10.13.30 PM.png


nat rule


Screen Shot 2019-11-13 at 10.23.49 PM.png

L3 Networker

Re: AWS NAT not coming back

2 Thoughts.

  1. Check your default route in the VR.  Ideally, you should use DHCP on both interfaces in the firewall and ensure to Uncheck "Automatically create default route..." on the Trust side Interface so that you only inherit the default route on E1/1.
  2. Change the Source Translation in your NAT rule to: 
    • Translation Type: DIPP
    • Address Type: Interface Address
    • Interface: ethernet 1/1
    • IP Address: None



L1 Bithead

Re: AWS NAT not coming back



I made those changes


The nat is working if the trust ENI is on the same subnet than the server I'm trying to nat. 


is there any way I can point other route tables to this ENI? I made the change but they can't connect to internet.


Thank you

L3 Networker

Re: AWS NAT not coming back

Excellent, that is a step in the right direction.  Create a static route on the firewall VR to send all of the VPC subnets that are behind the firewall out of the Eth1/2 interface to the first IP in the firewall's Trust Subnet.  AWS will then route it to the Server subnet.


I assume the Server subnet has a 0/0 route point to the Trust side of the firewall?

L1 Bithead

Re: AWS NAT not coming back



This is how my network looks like


Palo in Public
A same subnet that the trust interface, works fine

B diff subnet,  same vpc, same Route Table, pointing to that ENI



Screen Shot 2019-11-14 at 8.27.35 AM.png



For the route you mention, Unfortunately... I don't know how.. this is above the knowledge I have for this POC


This is why I tried is my VPC CIDR is the private IP of the "non trust interface"

Screen Shot 2019-11-14 at 8.30.43 AM.png

L3 Networker

Re: AWS NAT not coming back

Rather than specifying your Trust side IP of the firewall as the next hop in that route.  Set the next-hop IP to the first IP of the Trust subnet which is the AWS router IP.


ie. if the Trust subnet is /24, set the next-hop to

L1 Bithead

Re: AWS NAT not coming back

what I learning experience!


My original routes

Screen Shot 2019-11-14 at 8.41.01 AM.png


Then I added the VPC CIDR pointing to the "gateway of the trust interface" (Trust =

Screen Shot 2019-11-14 at 8.54.52 AM.png


New route


Screen Shot 2019-11-14 at 8.51.57 AM.png


Thanks for all your help, just documenting here if someone is on the same spot


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!