NAT Performance Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

NAT Performance Issue

L3 Networker

Hi All,


I recently migrated a client from a Fortinet firewall to a PANW.  Most of the Virtual IPs from the Fortinet were migrated as bidirectional Source NATs.


One specific server had issues where outside traffic would intermittently not be able to connect with the server.  I troubleshot the issue and couldn't find anything wrong with the NAT or anything else.


The client opened a ticket with PANW support.  The support tech broke the bidirectional NAT into separate a SNAT and DNAT.

The DNAT is interesting in that the traffic from the outside is being SNAT'ed to the LAN interface on the firewall using dynamic-ip-and-port and then a destination translation to the inside server address with a port translation back to 443.

The SNAT is normal except is was also created using dynamic-ip-and-port to the server's public address.

here's the XML config for the DNAT:

<entry name="Server">

                  <to>

                    <member>Outside</member>

                  </to>

                  <from>

                    <member>Outside</member>

                  </from>

                  <source>

                    <member>any</member>

                  </source>

                  <destination>

                    <member>server-NAT</member>

                  </destination>

                  <service>any</service>

                  <nat-type>ipv4</nat-type>

                  <to-interface>any</to-interface>

                  <destination-translation>

                    <translated-address>server-inside</translated-address>

                    <translated-port>443</translated-port>

                  </destination-translation>

                  <source-translation>

                    <dynamic-ip-and-port>

                      <interface-address>

                        <ip>10.1.1.250/24</ip>

                        <interface>ethernet1/4</interface>

                      </interface-address>

                    </dynamic-ip-and-port>

                  </source-translation>

                </entry>

This fixed the issue.

Can someone provide some insight as to why and what the issue actually was?  I'd just like to know for the future.  The support tech didn't provide the "why" to the client.

Gracias!


2 REPLIES 2

L4 Transporter

I do not know the answer but can confirm I have seen this same behavior.

L3 Networker

At least I know I'm not going nuts or completely incompetent.  :smileysilly:

  • 3097 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!