ARP not advertising for NAT translation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ARP not advertising for NAT translation

L4 Transporter

Hello,

 

We have BGP routing on WAN interface with WAN IP and an additional subnet ip address which is advertised by the firewall to the ISP. When we create a NAT translation from a private IP address to a public IP address from this additional subnet then we don't receive any traffic for it at all. It's not in under monitor tab. When we check BGP status, it is correctly advertising the whole subnet. However, when we create a loopback, NAT translation will start working straight away without any changes.

 

Is Palo Alto not advertising ARP for the NAT translation when this IP is not a directly connected interface? Is this an expected behaviour?

 

Thanks in Advance.

1 accepted solution

Accepted Solutions

L3 Networker

You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped. 

Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf

 

I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.

Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.

set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32

View solution in original post

3 REPLIES 3

L4 Transporter

 

I know that FW will not proxy ARP for NAT addresses only in v wire mode. What about in layer 3 mode?

 

The issue is that it appears that NAT doesn’t arp the public IP address to the ISP router. So created a loopback as a workaround.

 

Much appreciate if someone can shed some light.

 

 

L3 Networker

You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped. 

Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf

 

I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.

Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.

set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32

L4 Transporter

Thank you RFalconer for the explanation! It helps.

  • 1 accepted solution
  • 6088 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!