How to configure NAT for untagged subinterfaces?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure NAT for untagged subinterfaces?

L0 Member

I'm trying to set up a fairly simple configuration where we have our separate wired and wireless networks connecting to the internet via one shared interface eth1/1

Basically, I am attempting to replicate the configuration here https://live.paloaltonetworks.com/docs/DOC-1884 (but with only 2 local networks, not 3). This document stresses that explicit NAT rules must be set up, but does not give an example on how to do this.

I have set up untagged sub interfaces, the virtual routers, policies and what I believe to be the correct NAT policies. I know these are correct because if I only set up one sub interface everything is OK.

As soon as I set up a second subinterface and hook it up to the virtual router, traffic stops flowing. I am assuming that is because I have not created the NAT policy correctly.

Please can somebody provide an example NAT policy for an untagged subinterface.

Thanks.

1 accepted solution

Accepted Solutions

L2 Linker

Without source NAT, untagged subinterfaces will not work.  We have to map traffic to a particular zone/vsys based on the destination of that packet (it must match a subinterface IP address).  Please refer to following doc in order to configure right NAT rules for untagged subinterfaces. Please let us know if that helps.

https://live.paloaltonetworks.com/docs/DOC-2781

View solution in original post

2 REPLIES 2

L2 Linker

Without source NAT, untagged subinterfaces will not work.  We have to map traffic to a particular zone/vsys based on the destination of that packet (it must match a subinterface IP address).  Please refer to following doc in order to configure right NAT rules for untagged subinterfaces. Please let us know if that helps.

https://live.paloaltonetworks.com/docs/DOC-2781

HI

 

We have exact same scenario, but rather than doing the NAT with the ip address of the interface, we need to nat with 1 of the ip address which is the same range with FW sub interface (untagg).

 

What we are trying to do is PA firewall running multiple VSYS, each VSYS will share one physical interface with multiple untagg subinterfaces, and each VSYS to get 1 public ip each from the same range. Also some of the extra remaining public IP address we need to perform 1 to 1 NAT.

 

1 to 1 NAT works fine when public ip address is configured on main interface of fw with untag, NAT doesn't work anymore when we move public ip to sub interface(untagg). However, communication from multiple VSYS with untag sub interface still can communicate with outside world via ip address assigned on untag sub interfaces.

 

Please could you help ? Thanks

  • 1 accepted solution
  • 4516 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!