For details on cookie usage on our site, read our Privacy Policy
May i know how to fix NAT issue?
- LIVEcommunity
- Discussions
- Configuration Wizard Discussions
- May i know how to fix NAT issue?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-23-2022 06:22 AM
May i know why untrust zone cannot ping to trust zone( 192 zone)
please check my config. thank
Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-23-2022 05:37 PM
Hello @WingMak
thanks for posting in LIVEcommunity!
I went through screen shots you attached to your post. There are a few things that come to my mind.
- All of the NAT policies you configured have no "HIT COUNT". For troubleshooting of the NAT issues, I found most practical looking into logs. Could you make sure that all of your security policies have enabled check box: "Log at Session End" under: Policies > Security > [Name of the policy] > Actions > Log Setting. From the logs under: Monitor > Logs > Traffic, you will be able to see details of the traffic including what NAT policy is being applied. For troubleshooting make sure you add columns: "NAT Applied", "NAT Dest IP", "NAT Source IP". These columns are not enabled by default in log view.
- For traffic sourced from zone: "untrust" to zone: "zone192", the policy no.3 should be applied: "SNAT-Untrust to zone192". I believe that this policy is misconfigured. Could you change source translation from ethernet1/4 to ethernet1/2 and test again? The rest of the configuration can stay as it is.
- The interface ethernet1/4 is configured as DHCP client. Could you make sure that this interface got an IP address? If you click on "Dynamic-DHCP Client" a new window should pop-up with IP details information.
- The last thing is only suggestion. Based on icon it looks like that "interzone-default" as well as "intrazone-default" rules are left in default configuration which does not have "Log at Session End" enabled. If you eventually remove policy No.3, all the traffic hitting default policies will not be logged.
Kind Regards
Pavel
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-23-2022 05:37 PM
Hello @WingMak
thanks for posting in LIVEcommunity!
I went through screen shots you attached to your post. There are a few things that come to my mind.
- All of the NAT policies you configured have no "HIT COUNT". For troubleshooting of the NAT issues, I found most practical looking into logs. Could you make sure that all of your security policies have enabled check box: "Log at Session End" under: Policies > Security > [Name of the policy] > Actions > Log Setting. From the logs under: Monitor > Logs > Traffic, you will be able to see details of the traffic including what NAT policy is being applied. For troubleshooting make sure you add columns: "NAT Applied", "NAT Dest IP", "NAT Source IP". These columns are not enabled by default in log view.
- For traffic sourced from zone: "untrust" to zone: "zone192", the policy no.3 should be applied: "SNAT-Untrust to zone192". I believe that this policy is misconfigured. Could you change source translation from ethernet1/4 to ethernet1/2 and test again? The rest of the configuration can stay as it is.
- The interface ethernet1/4 is configured as DHCP client. Could you make sure that this interface got an IP address? If you click on "Dynamic-DHCP Client" a new window should pop-up with IP details information.
- The last thing is only suggestion. Based on icon it looks like that "interzone-default" as well as "intrazone-default" rules are left in default configuration which does not have "Log at Session End" enabled. If you eventually remove policy No.3, all the traffic hitting default policies will not be logged.
Kind Regards
Pavel
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- Global Protect Slowness issue in GlobalProtect Discussions
- API Validation Issue with System Diagnostics and Health Check in Cortex XSOAR Discussions
- Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved) in Next-Generation Firewall Discussions
- Palo Alto (KVM) VM-Series 30-day free trial Issues in Next-Generation Firewall Discussions
- PanOS 11.1.0 Upgrade - Panorama Refuses to Commit or Push on a Multi-VSYS System in General Topics
