Migrate NAT policies from ASA to Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migrate NAT policies from ASA to Palo Alto

L0 Member

Hello All, 

I am trying to migrate Cisco ASA NAT policies to Palo Alto. I realized the packet processing in ASA is different from Palo Alto. On Cisco ASA, I will have two different NAT statements for source and destination. The packet when hits the firewall, the source, and destination are translated. However, in Palo Alto, if I do them in two rules either source or destination is translated based on the order of the rules. The only fix for this is to do SNAT and DNAT in the same rule in Palo Alto. This will be a huge task for us as we have around 7000 NAT policies on ASA and all these are related to VPN Tunnels. If I run the numbers, I think I will exceed the NAT policy limit for a 7050 chassis which is 16000 rules. This seems to be a huge amount of manual work. Any ideas are welcome and much appreciate your time and feedback. 

 

Examples

Source - 5.6.7.8 - DMZ

Destination - 10.1.1.1 - INSIDE

SNAT - 10.2.2.2

DNAT - 144.144.155.155

 

Cisco ASA NAT Statement

 

object network obj-10.1.1.1
nat (INSIDE,DMZ) static 144.144.155.155

 

object network obj-5.6.7.8
nat (DMZ,INSIDE) static 10.2.2.2

 

So the above two NAT statements are where both source and destinations are NATed. Cisco processes these NATs in a single transaction while Palo is unable to do it. I have so many tunnels and all IPs are NATed. On Palo Alto, I have to create rules manually for each and every tunnel. These amount to so many rules if there are more IPs routed thru a single tunnel. 

 

 

 

 

 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @HKoppuravori ,

 

It looks like your dilemma is the same as this one -> https://live.paloaltonetworks.com/t5/general-topics/source-and-destination-nat-using-2-different-nat....  The non-elegant solution to solve the problem was to route the traffic outside the firewall and back in.  I don't think a single session can match multiple NAT statements.

 

I think it would be a good feature request.  The process would be to reach out to your PANW SE.  https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

Thank you @TomYoung 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!