This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
NAT question
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: NAT question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2010 07:38 AM
Hello,
I have migrated a configuration from an netscreen firewall.
On the netscreen on the outside interface (against the internet) there are two mip ip's configured,
one of the MIP ip's are on the same subnet as the ip on the main ip. But the other IP is on a different subnet.
Like this:
main public ip: 192.168.1.1/29
MIP ip one: 192.168.1.2
MIP ip two: 10.1.1.10
I had no problems making the correct configuration for NAT on the MIP one ip. Inbound to a mailserver.
But I am struggeling doing the configuration for MIP ip two. It does not work.
Do I need to add the MIP ip two as a loopback ip on the untrust zone or can I add it to the interface as a secondary ip? 10.1.1.10/32.
How do I make the nat configuration for the MAP two ip?
Can anyone help?
Jo Christian
/Jo Christian
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2010 04:03 PM
Hi Jo,
Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue. To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped. Support can also help out with this.
Here is some quick information on how to check the counters and the debug flow basic:
Show Drop Counters
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Debug Flow Basic
Set a filter to control what traffic is logged
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Enable debug logging
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
View the debug log (tail or less)
less dp-log pan_packet_diag.log
tail dp-log pan_packet_diag.log
Hope that helps,
Kelly
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2010 12:11 PM
Hi Jo,
The destination NAT IP does not need to be in the same subnet as the interface IP in our implementation for this to work. The PAN device will ARP for the address and all should work fine.
There are a couple ways to convert a ScreenOS MIP to PANOS NAT rules:
- Create two separate NAT Rules: One destination NAT inbound with zones Untrust to Untrust. Then another source NAT outbound with zones Trust to Untrust
or - Create a single source NAT outbound with zones Trust to Untrust, then flag it as bidirectional (PANOS 3.1 and above)
Once you have your NAT rule(s) then make sure the Security Policy has correct rules allowing the traffic in using the original (pre-NAT) IPs.
Cheers,
Kelly
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2010 03:24 PM
Hello and thanks for your reply.
Yes this is what I did (your suggestion number 2) but when making the security policy my rule always get "tagged" as unused when hitting the "show unused" button. Is there some way to debug the reason for the rule being tagged as unused?
I don't have any other rules that should interfere with this one.
Jo Christian
/Jo Christian
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2010 04:03 PM
Hi Jo,
Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue. To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped. Support can also help out with this.
Here is some quick information on how to check the counters and the debug flow basic:
Show Drop Counters
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Debug Flow Basic
Set a filter to control what traffic is logged
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Enable debug logging
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
View the debug log (tail or less)
less dp-log pan_packet_diag.log
tail dp-log pan_packet_diag.log
Hope that helps,
Kelly
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-28-2010 08:33 AM
Hello,
Everything working now. Had to restart the DSL modem for the other subnet to work correctly.
Thank you for your help!
Jo Christian
/Jo Christian
Related Content
- Can you configure multiple prisma access tunnel end points? in Prisma Access Discussions
- Upgrading PAN-OS active/passive question in General Topics
- Global Protect multiple VPN and multiple authentication methods in General Topics
- Agent Blocking files/processes dynamically based on conditions in Cortex XDR Discussions
- GlobalProtect Multiple Profile in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks