05-08-2010 05:20 AM
Hello,
I need to configure a NAT from a Cisco PIX with config below to PAN. I configured NAT on PAN but the NAT doesn't seem to work
PIX Config:
static (inside,outside) webpublicip 172.16.10.10 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.10.10 172.16.10.10 netmask 255.255.255.255 0 0
PAN config
NAT rule: Source Zone-> Outside, Des Zone->Outside, Source- Any, Destination-> webpublicip and in the translated packet Destination-> 172.16.10.10
Security rule: Source Zone-> Outside, Des Zone->Inside, Source- Any, Destination-> webpublicip
In monitor traffic log, i do a filter on webpublicip but it says no NAT applied and we can't access this web server from Internet.
Note that the outside interface on PAN is on a private IP
Would appreciate your help on this.
thanks
05-10-2010 03:34 PM
Answers are inline.
You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it? Yes.
In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none? None.
Do i need any other static routes on PA to route to the 172.16.0.0 networks? Since it is directly conected, you don't need a static route.
In this case, we are just replacing a PIX, so they have the inbound static route already.
thanks
05-08-2010 04:54 PM
Since your outside interface on the PAN is a private IP, you can configure a loopback address (and associated VR) using your WebPublicIP and assign it to the "outside" zone. You will want your external router to have a route statement directing traffic bound for WebPublicIP to be sent to the private IP on the outside interface. The NAT and Security policies you configured for the PAN should then work.
05-09-2010 08:30 AM
Hello
You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?
In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none?
Do i need any other static routes on PA to route to the 172.16.0.0 networks?
In this case, we are just replacing a PIX, so they have the inbound static route already.
thanks
05-10-2010 03:34 PM
Answers are inline.
You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it? Yes.
In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none? None.
Do i need any other static routes on PA to route to the 172.16.0.0 networks? Since it is directly conected, you don't need a static route.
In this case, we are just replacing a PIX, so they have the inbound static route already.
thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
