09-23-2025 10:58 PM
Dear all
I have a question about snat address pool and route loop; If I set a snat policy and assign a public address pool(range)to it, like 110.1.1.1 to 110.1.1.11 PS. It's being used for visit internet; I have a default route to internet on my firewall, nexthop is ISP, and this ISP have a route about 110.1.1.1 to 110.1.1.11 next hop is my firewall; after then, If a people who trying to ping an address in 110.1.1.1 to 110.1.1.11, there will be a route loop. How do you usual solve this problem? Thanks!!
Best Wishes
09-24-2025 01:25 AM
Hi @459768405 ,
I haven't tested this but methinks you could use a loopback interface to prevent the loop from happening.
Create a Loopback Interface and assign the IP address from your public pool to this new Loopback interface.
Add a static route in your VR that points your public address pool to the Loopback interface as the next hop.
I believe that by doing this, when the ISP sends a packet to an IP in your public pool, the firewall receives it and correctly routes it to the loopback interface. This should prevents the routing loop because the firewall recognizes the traffic as belonging to itself.
Hope this helps,
-Kim.
09-24-2025 01:25 AM
Hi @459768405 ,
I haven't tested this but methinks you could use a loopback interface to prevent the loop from happening.
Create a Loopback Interface and assign the IP address from your public pool to this new Loopback interface.
Add a static route in your VR that points your public address pool to the Loopback interface as the next hop.
I believe that by doing this, when the ISP sends a packet to an IP in your public pool, the firewall receives it and correctly routes it to the loopback interface. This should prevents the routing loop because the firewall recognizes the traffic as belonging to itself.
Hope this helps,
-Kim.
09-24-2025 01:42 AM
Hi, Kiwi
I think this will be work. And maybe I don't have to assign a public ip address to the loopback, maybe I can give it a private address. So it means in paloalto, when a traffic comes into our firewall, nat procedure is before route search; So if a really useful back traffic will count the nat policy( maybe a nat session table) first, and it won't be route to the loopback, am I right?
I have done this on a firewall which from another manufacture, When I config a nat pool, it will auto config a route about the pool, and next hop is null0, I think the theory is same like config a loopback and a route.
By the way, very like your ID and picture, the kiwi bird is so cute, LOL
Best Wishes
Du
09-25-2025 12:14 AM
there should not be a routing loop if you add at least 1 IP (e.g. 110.1.1.1/24) with the appropriate subnet to your public interface
from that moment forward, the firewall can proxy-arp for all ip addresses in the subnet if needed (and per the NAT configuration) and will also account for reply packets from any outbound sessions using that nat pool
Your NAT pool will trigger that proxy-arp so you wouldn't even need a static route on your ISP router
09-25-2025 12:30 AM
Thanks! If I config an address which is in the same subnet with my nat address pool, there will not have a routing loop yet. but if some one try to ping an address in my address pool, I think there will have some unuseful arp packet will be send from the interface which faced internet. but it's better than a routing loop. But if we have got to config an address on the interface which in the different subnet with the pool, maybe we need to config loopback interface&route and something to solve this potential problem.
09-25-2025 07:16 AM
an ip pool in an outbound nat rule is meant to be used only for source nat. this means the ip addresses will not be pingable at all.
only if
1. you create inbound NAT rules where the original destination is in your subnet with a nat translation destination that understands ping or,
2. you bind the desired IP to your public interface/loopback in untrust zone so it can respond to ping
an outbound pool does not provide inbound connectivity
09-25-2025 07:00 PM
Yes, but cause of the ip address not be pingable, firewall don't know these address are assign to its, then I think it will search the routing table and hit the default route, then firewall will forward the ping packet to ISP, but in ISP device, the packet will hit the route which nexthop is our firewall, the loop is created. but this is not a big problem, cause of TTL.
09-26-2025 04:55 AM
you can fix that by setting a intrazone deny rule for untrust zone 🙂 (untrust to untrust block)
this is best practice so if you have not done this, look into setting up explicit external rules
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
