09-26-2011 07:14 AM
10-05-2011 09:01 AM
Hi,
The document at this link explains how to create a NAT policy which excludes addresses from a pool:
10-05-2011 09:12 AM
This looks as if it would create a "No NAT" rule for the internal addressing. I would need this to exclude addresses in the "External" addressing (Outside World). I cannot create a rule simply being a range from .1-.254 because I am creating the rule to encompass the entire /21 external subnet, and the PA will not allow multiple external ranges in the translation of a single rule, so i would not be able to break these down per /24 external subnet and create the ranges excluding the .0 and .255 addresses.
11-09-2011 12:25 AM
have you tried to specify ranges that start @ .1 and end on .254 instead of using CIDR notation?
11-11-2011 01:03 PM
This would not work, because the Palo-Alto does not support multiple external ranges within one Dynamic Policy. Therefore you would only be able to create a single /24 network per policy, and that is not feasible in a system with over 10,000 internal users. Currently, the PA does not support multiple external ranges per policy, or NAT/PAT overload. This could easily be accomplished with a radio button to exempt network and broadcast addresses from the pool.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
