Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Destination NAT with different subnet of Outside interface.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination NAT with different subnet of Outside interface.

Not applicable

Hello,

Outside interface of Palo Alto firewall is configured with aaa.bbb.ccc.ddd /30 subnet.

I have some servers in DMZ those need to be accessed via internet with IP address(es)/subnet ZZZ.XXX.YYY.VVV/24.

I have configured Destination Nat( including Security Policy) for these servers with the IP addresses as mentioned above.

Please let me know how this can work? Do we need to add static route on upstream router for new subnet?

Regards,

13 REPLIES 13

L6 Presenter

so you mean zzz.xxx.yyy.vvv/24 is public ip subnet also ?

Yes, zzz.xxx.yyy.vvv/24 is public subnet.

ok so when accessing this /24 subnet from internet that traffic should come to aaa.bbb.ccc.ddd /30's interface(upstream should route that traffic)

you can add this /24 subnet to the outside interface as second.

panos, would please let me know how we can add secondary IP address to Outside interface of FW?

layer3.png

panos, Thanks a lot.

panos, I have configured upstream router with static routes for secondary subnet towards outside interface of PA FW.

Apart from this Destination Nat is configured with Security Policies to allow the traffic.

Would you please let us know how to troubleshoot? still the servers are not accessible from internet form secondary subnet.

Regards,

Parvez  

you may use packet capture to troubleshoot while accessing from outside to that secondary subnet

so that we'll see if traffic comes(and we drop)  or not

if not so problem is related to upstream

be careful about the rule

you have to create the rule from internet to DMZ base on the ZZZ.XXX.YYY.VVV/24 ip and not on the NAT ip.

if you have a rule like deny all at the bottom of the rule list, you will see if a deny action is present in the traffic log.

regard's

L5 Sessionator

Keep that in mind :

nat.JPG.jpg

Hope help

V.

Gregoux, If I will put deny all at the bottom, Do we need to allow separate rules outside to outside, DMZ to DMZ and Inside to inside for all traffic.

Thanks a lot. I created the rules as mentioned in this snapshot.

Not applicable

Thanks a lot . The migration was successful.

  • 6684 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!