This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Destination NAT on a Vwire?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Destination NAT on a Vwire?

kentjday
L1 Bithead

‎09-10-2014 07:32 AM

Is there documentation on how to do this?  All I have found is incomplete.  Is the Destination Zone the same or different than the Source Zone?  Do the addresses have to include the subnet mask?  Are there any complete examples available?

1 person had this problem.
Labels:
0 Likes Likes
10 REPLIES 10

dburns
L4 Transporter

‎09-10-2014 07:37 AM

Understanding PAN-OS NAT

Page 26, have you reviewed this yet?

Dominic

0 Likes Likes

kentjday
L1 Bithead
In response to dburns

‎09-10-2014 07:43 AM

Yes, it shows a vwire NAT policy. It mentions that a vwire NAT security policy is needed but doesn't show it.  It also uses names instead of IPs so I don't know if the names include masks.
I also tried the Static NAT policy example but it didn't work either.

0 Likes Likes

dburns
L4 Transporter
In response to kentjday

‎09-10-2014 07:51 AM

Page 21 shows you the objects.. no subnets

When you look at the session is the NAT rule being matched and NAT not applied? Or not matched at all.

To view the session live from the CLI use the following;

pa> show session all filter source <ip> destination <ip>

pa> show session id <id>

Look for NAT rule

Dominic

0 Likes Likes

kentjday
L1 Bithead
In response to dburns

‎09-10-2014 08:02 AM

ok, my objects do not have subnets either.

No Active Sessions...

Pretty aggravated - I appreciate your help very much!

0 Likes Likes

HULK
L7 Applicator
In response to kentjday

‎09-10-2014 08:03 AM

Hello kentjday,

Just to let you know, the Virtual Wire NAT will only support IP address translation on an address which is not on the same subnet as the endpoint which is directly connected to our firewall.

Thanks

0 Likes Likes

kentjday
L1 Bithead
In response to HULK

‎09-10-2014 08:07 AM


My public address is x.x.106.137

My private address is 192.168.100.1

So if I understand your statement correctly I think they should work.

0 Likes Likes

dburns
L4 Transporter
In response to kentjday

‎09-10-2014 08:07 AM

"No Active Sessions…"


There's your first problem. Doesn't look like the traffic is even hitting the VWIRE. In the 'show session all filter' command you used Pre-NAT IPs to filter correct?


D

0 Likes Likes

kentjday
L1 Bithead
In response to dburns

‎09-10-2014 08:09 AM

Yes, and then I tried "show session all".  the same response.

0 Likes Likes

dburns
L4 Transporter
In response to kentjday

‎09-10-2014 08:13 AM

ok nothing to do with NAT the V-wire is not working at all. I would start with checking the V-wire configuration and security policy.

0 Likes Likes

HULK
L7 Applicator
In response to kentjday

‎09-10-2014 08:14 AM

FYI.. This is not supported:

NAT-vwire-unsupported.jpg

Thanks

0 Likes Likes
  • 5164 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks