Need help converting ASA Nat to Palo Alto

cullums · ‎05-16-2023

I recently swapped out my ASA for a PA450. Most everything is working, including most of the NAT policies. However, one seems to be giving me trouble.

Here's the old NAT from the ASA:

object network HTTS_out

nat (outside,inside) static 192.168.201.171

object network HTTPS_in

nat (inside,outside) static x.x.64.107

The policy I have on my PA looks something like this:

Original Packet

Source Zone - Untrust
Destination Zone - Trust

Destination Interface - e1/1

Service - Any

Source Address

WebServerExt_x.x.64.107

Destination Address

Any

Translated Packet

Source Address Translation

Translation type - Static IP

Translation Address - WebServerInt_192.168.201.171

Bi-Directional is unchecked

Destination Address Translation

Translation Type - None

----------------------------------

I have a second NAT policy for the opposite direction (yes, I tried with just one NAT policy to do bi-directional and it didn't work).

I can't send screenshots or anything as this is all on a classified environment.

By the way, I can see hits against the policies, and I can see the traffic being allowed when I look at the log. However, I see under Application "incomplete" and Session End Reason "aged-out"

Any assistance in this would be greatly appreciated.

TomYoung · ‎05-16-2023

Hi @cullums ,

I have had much success with bidirectional NAT on PANW. Since neither config is working for you, I recommend going back to that. The key 🗝 is to determine why the NAT is not working. Here is a good doc on bidirectional NAT -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWBCA0. Especially note the instructions for the security policy rules on the bottom. The inbound rule will have the pre-NAT IP with a post-NAT zone.

Once you have the NAT and security policy rules configured, you want to test and look at the traffic logs. You can add some key fields to help you troubleshoot - NAT Applied, NAT Source IP, and NAT Dest IP. I wish there was a field for NAT rule, but you will have to use those fields to determine which rule is being hit.

Incomplete most often means the TCP 3-way handshake did not complete, but it can mean other things. Click on the magnifying glass in the traffic logs. Verify the protocol is TCP and check the Packets Sent and Packets Received in the middle box. Aged out means the NGFW did not detect anything to close the session such as a TCP Fin, but the session timer expired. It sounds like you have one-way traffic. This can be caused by a NAT misconfig or routing or other things.

Once you determine the security and NAT rules hit by the traffic, you can move the rules up or down or make adjustments so that the traffic hits the right rule.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

cullums · ‎05-18-2023

So, definitely some good info, and I appreciate the feedback. This has been quite the rabbit hole to go down.

Long story short, the issue was that I needed the public facing IP to be present on the Untrust interface so that the firewall would have an arp entry for that address.

The way the ASA was configured, it just had a an IP of x.x.64.2/30 on it's outside interface. For NAT to work on the PA, any public IP that is to be NAT'd needs to be present on that interface. So, adding x.x.64.107 to the interface fixed it.... Learn something new every day 🙂

TomYoung · ‎05-18-2023

Hi @cullums ,

That makes sense, and I am glad you got the issue fixed. NAT on the PA requires a route entry. Configuring the IP on the interface is one way to do that. Most people do not know that because they usually NAT to a subnet which already exists on the NGFW.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Need help converting ASA Nat to Palo Alto

Need help converting ASA Nat to Palo Alto

Show your appreciation!