I recently swapped out my ASA for a PA450. Most everything is working, including most of the NAT policies. However, one seems to be giving me trouble.
Here's the old NAT from the ASA:
object network HTTS_out
nat (outside,inside) static 192.168.201.171
object network HTTPS_in
nat (inside,outside) static x.x.64.107
The policy I have on my PA looks something like this:
Source Zone - Untrust
Destination Zone - Trust
Destination Interface - e1/1
Service - Any
Source Address Translation
Translation type - Static IP
Translation Address - WebServerInt_192.168.201.171
Bi-Directional is unchecked
Destination Address Translation
Translation Type - None
I have a second NAT policy for the opposite direction (yes, I tried with just one NAT policy to do bi-directional and it didn't work).
I can't send screenshots or anything as this is all on a classified environment.
By the way, I can see hits against the policies, and I can see the traffic being allowed when I look at the log. However, I see under Application "incomplete" and Session End Reason "aged-out"
Any assistance in this would be greatly appreciated.
Hi @cullums ,
I have had much success with bidirectional NAT on PANW. Since neither config is working for you, I recommend going back to that. The key 🗝 is to determine why the NAT is not working. Here is a good doc on bidirectional NAT -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWBCA0. Especially note the instructions for the security policy rules on the bottom. The inbound rule will have the pre-NAT IP with a post-NAT zone.
Once you have the NAT and security policy rules configured, you want to test and look at the traffic logs. You can add some key fields to help you troubleshoot - NAT Applied, NAT Source IP, and NAT Dest IP. I wish there was a field for NAT rule, but you will have to use those fields to determine which rule is being hit.
Incomplete most often means the TCP 3-way handshake did not complete, but it can mean other things. Click on the magnifying glass in the traffic logs. Verify the protocol is TCP and check the Packets Sent and Packets Received in the middle box. Aged out means the NGFW did not detect anything to close the session such as a TCP Fin, but the session timer expired. It sounds like you have one-way traffic. This can be caused by a NAT misconfig or routing or other things.
Once you determine the security and NAT rules hit by the traffic, you can move the rules up or down or make adjustments so that the traffic hits the right rule.
So, definitely some good info, and I appreciate the feedback. This has been quite the rabbit hole to go down.
Long story short, the issue was that I needed the public facing IP to be present on the Untrust interface so that the firewall would have an arp entry for that address.
The way the ASA was configured, it just had a an IP of x.x.64.2/30 on it's outside interface. For NAT to work on the PA, any public IP that is to be NAT'd needs to be present on that interface. So, adding x.x.64.107 to the interface fixed it.... Learn something new every day 🙂
Hi @cullums ,
That makes sense, and I am glad you got the issue fixed. NAT on the PA requires a route entry. Configuring the IP on the interface is one way to do that. Most people do not know that because they usually NAT to a subnet which already exists on the NGFW.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!