Destination NAT on a Vwire?
cancel
Showing results for 
Search instead for 
Did you mean: 

Destination NAT on a Vwire?

L1 Bithead

Is there documentation on how to do this?  All I have found is incomplete.  Is the Destination Zone the same or different than the Source Zone?  Do the addresses have to include the subnet mask?  Are there any complete examples available?

10 REPLIES 10

L4 Transporter

Understanding PAN-OS NAT

Page 26, have you reviewed this yet?

Dominic

Yes, it shows a vwire NAT policy. It mentions that a vwire NAT security policy is needed but doesn't show it.  It also uses names instead of IPs so I don't know if the names include masks.
I also tried the Static NAT policy example but it didn't work either.

Page 21 shows you the objects.. no subnets

When you look at the session is the NAT rule being matched and NAT not applied? Or not matched at all.

To view the session live from the CLI use the following;

pa> show session all filter source <ip> destination <ip>

pa> show session id <id>

Look for NAT rule

Dominic

ok, my objects do not have subnets either.

No Active Sessions...

Pretty aggravated - I appreciate your help very much!

Hello kentjday,

Just to let you know, the Virtual Wire NAT will only support IP address translation on an address which is not on the same subnet as the endpoint which is directly connected to our firewall.

Thanks


My public address is x.x.106.137

My private address is 192.168.100.1

So if I understand your statement correctly I think they should work.

"No Active Sessions…"


There's your first problem. Doesn't look like the traffic is even hitting the VWIRE. In the 'show session all filter' command you used Pre-NAT IPs to filter correct?


D

Yes, and then I tried "show session all".  the same response.

ok nothing to do with NAT the V-wire is not working at all. I would start with checking the V-wire configuration and security policy.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!