Need help converting ASA Nat to Palo Alto

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help converting ASA Nat to Palo Alto

L1 Bithead

I recently swapped out my ASA for a PA450. Most everything is working, including most of the NAT policies. However, one seems to be giving me trouble.

Here's the old NAT from the ASA:

object network HTTS_out

nat (outside,inside) static


object network HTTPS_in

nat (inside,outside) static x.x.64.107


The policy I have on my PA looks something like this:


Original Packet

Source Zone - Untrust
Destination Zone - Trust

Destination Interface - e1/1

Service - Any


Source Address



Destination Address



Translated Packet

Source Address Translation

Translation type - Static IP

Translation Address - WebServerInt_192.168.201.171

Bi-Directional is unchecked


Destination Address Translation

Translation Type - None




I have a second NAT policy for the opposite direction (yes, I tried with just one NAT policy to do bi-directional and it didn't work).


I can't send screenshots or anything as this is all on a classified environment. 


By the way, I can see hits against the policies, and I can see the traffic being allowed when I look at the log. However, I see under Application "incomplete" and Session End Reason "aged-out"


Any assistance in this would be greatly appreciated.


Cyber Elite
Cyber Elite

Hi @cullums ,


I have had much success with bidirectional NAT on PANW.  Since neither config is working for you, I recommend going back to that.  The key 🗝 is to determine why the NAT is not working.  Here is a good doc on bidirectional NAT ->  Especially note the instructions for the security policy rules on the bottom.  The inbound rule will have the pre-NAT IP with a post-NAT zone.


Once you have the NAT and security policy rules configured, you want to test and look at the traffic logs.  You can add some key fields to help you troubleshoot - NAT Applied, NAT Source IP, and NAT Dest IP.  I wish there was a field for NAT rule, but you will have to use those fields to determine which rule is being hit.


Incomplete most often means the TCP 3-way handshake did not complete, but it can mean other things.  Click on the magnifying glass in the traffic logs.  Verify the protocol is TCP and check the Packets Sent and Packets Received in the middle box.  Aged out means the NGFW did not detect anything to close the session such as a TCP Fin, but the session timer expired.  It sounds like you have one-way traffic.  This can be caused by a NAT misconfig or routing or other things.


Once you determine the security and NAT rules hit by the traffic, you can move the rules up or down or make adjustments so that the traffic hits the right rule.





Help the community: Like helpful comments and mark solutions.

So, definitely some good info, and I appreciate the feedback. This has been quite the rabbit hole to go down.

Long story short, the issue was that I needed the public facing IP to be present on the Untrust interface so that the firewall would have an arp entry for that address.


The way the ASA was configured, it just had a an IP of x.x.64.2/30 on it's outside interface. For NAT to work on the PA, any public IP that is to be NAT'd needs to be present on that interface. So, adding x.x.64.107 to the interface fixed it.... Learn something new every day 🙂

Cyber Elite
Cyber Elite

Hi @cullums ,


That makes sense, and I am glad you got the issue fixed.  NAT on the PA requires a route entry.  Configuring the IP on the interface is one way to do that.  Most people do not know that because they usually NAT to a subnet which already exists on the NGFW.





Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!