This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Natting to ip address which is not binded to any interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Natting to ip address which is not binded to any interface

nitesharbale
L2 Linker

‎03-04-2020 03:54 AM - edited ‎03-04-2020 03:58 AM

Hello Everyone,

I want to nat traffic going from dmz zone to wan zone. I want to nat ip (172.16.16.16&172.16.17.17-dmz zone) to use nat ip 200.0.0.1 which is not configured to any interface. I am unable to perform this. Please find below snap.

1)Interface IP addresses.

nitesharbale_0-1583322314964.png

2)NAT rule

nitesharbale_1-1583322411216.png

3)Security Policy

nitesharbale_2-1583322611401.png

 

4)Topology

nitesharbale_0-1583322960961.png

 

On R2 when i debug ip address i can see 200.0.0.1 ip but from R3 i cannot telnet

Please let me know what am i missing ?

 

0 Likes Likes
6 REPLIES 6

SutareMayur
L6 Presenter

‎03-04-2020 05:21 AM - edited ‎03-04-2020 05:22 AM

@nitesharbaleWhat are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

 

Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

 

Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

nitesharbale
L2 Linker
In response to SutareMayur

‎03-04-2020 06:27 AM

Hi Mayur,

Please find the answers below. Let me know if anything else required

 

Q1)What are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

Ans  i cannot see traffic logs. i think i requires license. There is single WAN interface which is connected to R2. Security policy and nat rule are in snap posted earlier.

 

2)Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

172.16.1.2/24--R3 interface ip connected to PA , (172.16.16.16/32, 172.16.17.17/32---R3 loopback) . All are in same zone i.e DMZ

 

3)Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

nitesharbale_0-1583330973400.png

 

0 Likes Likes

SutareMayur
L6 Presenter
In response to nitesharbale

‎03-04-2020 07:04 AM

@nitesharbalePlease verify traffic using test command and see if matching correct Security policy, NAT and Route.

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to SutareMayur

‎03-05-2020 10:14 AM

Hello,

This is possible as long as the PAN knows where to route the traffic. I didnt review the config, but as stated, check the logs and see where/if the policies are getting applied and or traffic getting blocked.

 

Regards,

0 Likes Likes

OwenFuller
L4 Transporter
In response to OtakarKlier

‎03-05-2020 11:34 AM

If you are doing a source NAT with an address of 200.0.0.1, but this is not the subnet between your firewall and WAN router (R2).  How are you going to get a reply back from R2 like this?

jeremy.larsen
L4 Transporter
In response to OwenFuller

‎03-05-2020 12:25 PM

Do you have a route on R2 pointing back to the PAN with this address?  Also, since the IP has no interface associated with it you may have to put in what I call a "ghost route" to make sure your zones align properly.  Add a route with an interface value and next hop value of "none" to assign the proper zone.

0 Likes Likes
  • 6075 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks