05-04-2023 04:59 AM
I'm moving some rules from an ASA we will be decommissioning at another location to our local PA-5220 for an IPSEC tunnel that we are migrating. The existing rule set on our ASA is NAT'ing our /16 subnet onto a /24 which technically could be an issue but we have few users that use this tunnel so it isn't an issue and they could come from a number of places on our internal /16.
Is there a way to do this with PAN-OS? When I looked at this document: Getting Started: Network Address Translation (NAT) - Knowledge Base - Palo Alto Networks it had a caveat about being the same size subnets but it looks like that is only if using Dynamic IP and NOT dynamic IP and port. I'm just uncertain at the moment if this tunnel requires the source ports to remain the same - I doubt it but its possible.
Thanks in advance for any help or insight.
05-04-2023 01:57 PM
This will work as long as no communication traversing the tunnel expects a certain source port to function properly. If that isn't a requirement, you could set this to DIPP and it would work perfectly fine.
05-04-2023 01:57 PM
This will work as long as no communication traversing the tunnel expects a certain source port to function properly. If that isn't a requirement, you could set this to DIPP and it would work perfectly fine.
05-04-2023 01:59 PM
That is great news! Thanks. I doubt highly the source port matters at all but I'll probably take a closer look at the logs and see what shows up soon on the ASA. I'm still in discovery mode on some of this but this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
