NAT'ing subnets - Larger to smaller? Will it work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

NAT'ing subnets - Larger to smaller? Will it work?

L4 Transporter

I'm moving some rules from an ASA we will be decommissioning at another location to our local PA-5220 for an IPSEC tunnel that we are migrating. The existing rule set on our ASA is NAT'ing our /16 subnet onto a /24 which technically could be an issue but we have few users that use this tunnel so it isn't an issue and they could come from a number of places on our internal /16.  

 

Is there a way to do this with PAN-OS?  When I looked at this document: Getting Started: Network Address Translation (NAT) - Knowledge Base - Palo Alto Networks it had a caveat about being the same size subnets but it looks like that is only if using Dynamic IP and NOT dynamic IP and port.  I'm just uncertain at the moment if this tunnel requires the source ports to remain the same - I doubt it but its possible.

 

Thanks in advance for any help or insight.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@TonyDeHart,

This will work as long as no communication traversing the tunnel expects a certain source port to function properly. If that isn't a requirement, you could set this to DIPP and it would work perfectly fine. 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@TonyDeHart,

This will work as long as no communication traversing the tunnel expects a certain source port to function properly. If that isn't a requirement, you could set this to DIPP and it would work perfectly fine. 

L4 Transporter

That is great news! Thanks.  I doubt highly the source port matters at all but I'll probably take a closer look at the logs and see what shows up soon on the ASA.  I'm still in discovery mode on some of this but this helps.

 

  • 1 accepted solution
  • 1417 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!