10-23-2016 11:32 PM
Hello,
We have BGP routing on WAN interface with WAN IP and an additional subnet ip address which is advertised by the firewall to the ISP. When we create a NAT translation from a private IP address to a public IP address from this additional subnet then we don't receive any traffic for it at all. It's not in under monitor tab. When we check BGP status, it is correctly advertising the whole subnet. However, when we create a loopback, NAT translation will start working straight away without any changes.
Is Palo Alto not advertising ARP for the NAT translation when this IP is not a directly connected interface? Is this an expected behaviour?
Thanks in Advance.
10-25-2016 02:00 PM - edited 10-25-2016 02:01 PM
You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped.
Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf
I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.
Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32
10-24-2016 10:37 PM
I know that FW will not proxy ARP for NAT addresses only in v wire mode. What about in layer 3 mode?
The issue is that it appears that NAT doesn’t arp the public IP address to the ISP router. So created a loopback as a workaround.
Much appreciate if someone can shed some light.
10-25-2016 02:00 PM - edited 10-25-2016 02:01 PM
You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped.
Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf
I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.
Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32
10-25-2016 04:02 PM
Thank you RFalconer for the explanation! It helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
