This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Migrate NAT policies from ASA to Palo Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migrate NAT policies from ASA to Palo Alto

HKoppuravori
L1 Bithead

‎02-24-2022 01:46 PM

Hello All, 

I am trying to migrate Cisco ASA NAT policies to Palo Alto. I realized the packet processing in ASA is different from Palo Alto. On Cisco ASA, I will have two different NAT statements for source and destination. The packet when hits the firewall, the source, and destination are translated. However, in Palo Alto, if I do them in two rules either source or destination is translated based on the order of the rules. The only fix for this is to do SNAT and DNAT in the same rule in Palo Alto. This will be a huge task for us as we have around 7000 NAT policies on ASA and all these are related to VPN Tunnels. If I run the numbers, I think I will exceed the NAT policy limit for a 7050 chassis which is 16000 rules. This seems to be a huge amount of manual work. Any ideas are welcome and much appreciate your time and feedback. 

 

Examples

Source - 5.6.7.8 - DMZ

Destination - 10.1.1.1 - INSIDE

SNAT - 10.2.2.2

DNAT - 144.144.155.155

 

Cisco ASA NAT Statement

 

object network obj-10.1.1.1
nat (INSIDE,DMZ) static 144.144.155.155

 

object network obj-5.6.7.8
nat (DMZ,INSIDE) static 10.2.2.2

 

So the above two NAT statements are where both source and destinations are NATed. Cisco processes these NATs in a single transaction while Palo is unable to do it. I have so many tunnels and all IPs are NATed. On Palo Alto, I have to create rules manually for each and every tunnel. These amount to so many rules if there are more IPs routed thru a single tunnel. 

 

 

 

 

 

 

0 Likes Likes
2 REPLIES 2

TomYoung
Cyber Elite
Cyber Elite

‎02-24-2022 02:40 PM

Hi @HKoppuravori ,

 

It looks like your dilemma is the same as this one -> https://live.paloaltonetworks.com/t5/general-topics/source-and-destination-nat-using-2-different-nat....  The non-elegant solution to solve the problem was to route the traffic outside the firewall and back in.  I don't think a single session can match multiple NAT statements.

 

I think it would be a good feature request.  The process would be to reach out to your PANW SE.  https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

HKoppuravori
L1 Bithead
In response to TomYoung

‎02-28-2022 06:38 AM

Thank you @TomYoung 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks