How to configure NAT for untagged subinterfaces?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

How to configure NAT for untagged subinterfaces?

I'm trying to set up a fairly simple configuration where we have our separate wired and wireless networks connecting to the internet via one shared interface eth1/1

Basically, I am attempting to replicate the configuration here https://live.paloaltonetworks.com/docs/DOC-1884 (but with only 2 local networks, not 3). This document stresses that explicit NAT rules must be set up, but does not give an example on how to do this.

I have set up untagged sub interfaces, the virtual routers, policies and what I believe to be the correct NAT policies. I know these are correct because if I only set up one sub interface everything is OK.

As soon as I set up a second subinterface and hook it up to the virtual router, traffic stops flowing. I am assuming that is because I have not created the NAT policy correctly.

Please can somebody provide an example NAT policy for an untagged subinterface.

Thanks.


Accepted Solutions
Highlighted
L2 Linker

Without source NAT, untagged subinterfaces will not work.  We have to map traffic to a particular zone/vsys based on the destination of that packet (it must match a subinterface IP address).  Please refer to following doc in order to configure right NAT rules for untagged subinterfaces. Please let us know if that helps.

https://live.paloaltonetworks.com/docs/DOC-2781

View solution in original post


All Replies
Highlighted
L2 Linker

Without source NAT, untagged subinterfaces will not work.  We have to map traffic to a particular zone/vsys based on the destination of that packet (it must match a subinterface IP address).  Please refer to following doc in order to configure right NAT rules for untagged subinterfaces. Please let us know if that helps.

https://live.paloaltonetworks.com/docs/DOC-2781

View solution in original post

Highlighted
L0 Member

HI

 

We have exact same scenario, but rather than doing the NAT with the ip address of the interface, we need to nat with 1 of the ip address which is the same range with FW sub interface (untagg).

 

What we are trying to do is PA firewall running multiple VSYS, each VSYS will share one physical interface with multiple untagg subinterfaces, and each VSYS to get 1 public ip each from the same range. Also some of the extra remaining public IP address we need to perform 1 to 1 NAT.

 

1 to 1 NAT works fine when public ip address is configured on main interface of fw with untag, NAT doesn't work anymore when we move public ip to sub interface(untagg). However, communication from multiple VSYS with untag sub interface still can communicate with outside world via ip address assigned on untag sub interfaces.

 

Please could you help ? Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!