I'm hoping the community can help me with this one, as I've scoured the internet and cannot seem fo find an answer: Basic scenario is I've got a udp multicast video feed playing on a computer in on my "inside" zone (source 172.16.30.249 dest: 18.104.22.168:50000), and I want to be able to see that feed on VLC on a host connected to my "outside" zone with the source of the feed NAT'ed to an external address (10.240.2.10) Simple enough- or at least should be.. For now, just to get video flowing, I've got just an ANY ANY rule between the two zones (will lock it down later) and the virtual router is set up for multicast with IGMPv2 / PIM and Static RP etc. That all works. My PC on the outside receives the feed, and my video is playing though and everything looks good.
however... when I run wireshark on the destination VLC PC, the packets coming in still have their "inside" host address as the source. I want to hide those internal IPs on our outside network as they are not routable past the PA. This is where in my past cisco World, i simply perform a simple one-to-one static NAT to a free outside IP (for example 172.16.30.249 -> 10.100.1.10) and everything would show up on my outside with a proper "outside" IP as the source (and the same multicast group as the destination). again keep in mind this is a UDP multicast M2TS feed, not RTP or RTSP.
With the Palo, for the life of me, no matter how I spin the NAT's rules, I cannot get them to adjust the source of the packets on my destination host wireshark (or for that matter even get a hit on the rule). I see the traffic coming and going in the trafic monitor and predictably the "to zone" shows multicast.. But that is not an option in palo's NAT world (other than the "any" zone) but that doesnt seem to work either.
I can't be the only person to want to do a static NAT of a multicast source IP Address, and any advice on how to get the NATs working would be appreciated. This should be easy, it is on my Cisco ASA's but like I say it's just not working. We want to switch over to PAs everywhere, but this for us would be a show-stopper. Also just a note, running the PA VM firewall with 9.1.2 H1 firmware.
Thanks in advance,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!