- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Many-to-Many NAT (Both Direction)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Many-to-Many NAT (Both Direction)
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 06:01 AM
Hi Everyone,
I am struggling to solve a problem NAT issue and need some help. I need to configure May-to-Many NAT on Palo Alto Firewall between two data centers. I have three /25 IPv4 subnets which needs to be mapped to three /25 subnets (subnet to subnet basis if not one to one IP basis) and three IPv6 /40 subnets needs same treatment. Traffic is expected to come from both direction inside to outside and outside to inside on specified TCP, UDP and ICMP ports. I have PA3220 which has been upgraded to PAN OS 9.0 and I will applicate if you can suggest best way to achieve this? Do I need to consider any resource limitation as I have three /25 IPv4 and three /40 IPv6 subnets which can overwhelm the resource?
Thanks
RT
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 08:00 AM
Hello,
How are the two data centers connected? Just curious as to why you need the NAT?
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 08:34 AM
Yes they are connected but part of Migration work and removing Overlapping addresses requires NAT.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 08:44 AM
Hello,
Please check out these articles and see if they help out.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLTlCAO
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 08:53 AM
Thank you for the prompt reply. I will check your suggested solution. In the meantime please could you tell me if it possible to solve by NAT or its impractical?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 08:55 AM
While I have not had to do this. The articles go into this using NAT when you have the same subnets on the both sides.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-09-2021 09:07 AM
I do have similar challenges due to migration work hence wanted to employ NAT as traffic is expected both ways between subnets hence NAT seems good option.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
a month ago - last edited a month ago
All,
I have noticed when Destination NAT configured for IPs which aren't configured on Firewall packets are being dropped so /25(IPv4) and /40(IPv6). If I add subnet as a Loopback interrace on firewall then NAT works. I tried using static discard route (Null route) but its not solving the issue. I am guessing its proxy-arp issue or is it something else? Any other way to solve the issue?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
a month ago
I would do this using several NAT rules (one for each subnet). See the third example on the static NAT section for use with subnets. (I have also configured and tested this in the past)
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
