1-to-1 NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

1-to-1 NAT

Not applicable

Ok need some help. I have a 1-to-1 NAT that is not working. Monitor-Traffic shows the Application as incomplete.

NAT Policy

NAT Policy.JPG.jpg

Security Policy

Security Policy.JPG.jpg

Monitor

monitor.JPG.jpg

9 REPLIES 9

L7 Applicator

Hello Sir,

As per above screenshot, i hope you have configured Many-to-one Destination NAT. Could you please let me know, the address object "TEST PC RDP Private x.x.x). is a subnet or a single IP address...?

Could you please enable below mentioned option on traffic logs for better understanding:

RDP.JPG.jpg

Thanks

L7 Applicator

Adding one more information here:

Incomplete in the application field:

Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.

FYI: KB article-Incomplete, Insufficient data and Not-applicable in the application field

Thanks

Not applicable

I have the same issue as the OP. I hope someone has an answer. I'll keep an eye on this thread.

I don't know your configuration but I'm running a PA-VM on Esxi 5.5 with Promiscuous mode accepted on the vswitches in esxi.

Also tried PANOS 5.0.11 and PANOS 6.0 both has same results.

I was able to get mine to work. My issue was not paying attention. When i created the address object i put the correct IP in the description but fat-fingered that actual IP. So at a glance it looked correct. Below are some pics of my working 1-to-1 NAT. If you click the image it will enlarge.

NAT:
NAT.JPG.jpg

Security:

Security.JPG.jpg

I hope this helps. I know some may look odd where you see destination as WAN but i did verify with my PA rep that it is correct.

NAT Original Tab.JPG.jpg

NAT Translated Tab.JPG.jpg

Security Policy

Security Source Tab.JPG.jpg

Security Destination Tab.JPG.jpg

Security Application Tab.JPG.jpg

Sorry forgot one image

Security Service Tab.JPG.jpg

I had the NAT and security policy already setup exactly the same way, according to the student books Smiley Happy

Also checked the objects and the ip-addresses all are good.

I have even added an extra NIC to the ESXi server and set the eth1/2 port to the new interface (promiscuous mode accept) so that the management interface and the data interface eth1/2 are on seperate nics but the same LAN.

But it still gives an incomplete.

incomplete.jpg

It has something to do with the PA, because I have a PFSense firewall running on a different external IP address and the static NAT rules on that are working perfect.

I was planning to replace my PFSense for the VM-PA also to get some more hand-on experience as we are placing some PA's in the network at my work, but if I don't get the NAT working then I'll stick to PFsense.

Hello StefanvanHattum ,

If you are facing any problem with your PA-VM and could not identify the root cause of the issue, please open a ticket with PAN support and let us know what a good time would be to get together and continue to work on the network. Our number one priority is to ensure that everything is running smoothly at your site, and, minimize any business impact, the problem caused.

Thanks

Hi Hulk,

thank you.

I ahve created a case at support.

Mind you that this is not impacting any business, this is just a test setup at home for learning purposes.

And I was planning to replace my PFSense, but I don't think I'm going to do that as there is no good way to get Xbox live to work Smiley Wink

Regards,

Stefan.

  • 4309 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!