This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

no nat

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

no nat

Go to solution
atelcom
L3 Networker

‎07-08-2013 02:46 AM

hello

i'am configuring a paloalto firwall wish is the backward firewall,

i'm facing problem with nat , users must be integrated in the frontal firewall

users passes by paloalto firewall first then the frontal firewall, when it pass by pan their adresses changes by nat , and the frontal firewall does'nt reconginze them ,wish is a hige problem

i tried to delete nat because the outside interface of pan is also a private adress , but traffic don't pass when i do this

so i want toknow if i can allow traffic to pass without nating , or if pan has someting called (no nat) like asa and juniper

please help me to figure it out

thank's in advance

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
UhMayYeah
L5 Sessionator

‎07-15-2013 02:21 AM

In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.

Source-NAT on PA (if configured)  would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
kprakash
L5 Sessionator

‎07-08-2013 05:45 AM

Hi Atelcom,

We do have an option to skip the NAT translation. You can specify the source address ( subnet ), the source Zone, The destination address ( subnet ) and the destination zone, and under the "Translated Packet section" select the translation type to "None", as shown in the attachment.

no-nat.JPG

This is as good as not configuring a NAT policy at all. So all you need is a security policy from the inside zone of the PANFW to the outside zone of the PANFW.

You could also have a v-wire deployment on the PANFW, if the PANFW isnt on the perimeter, and use it as an IPS.

Thanks and best regards,

Karthik RP

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to kprakash

‎07-08-2013 06:43 AM

Hi ,

thank's for your return, i did try the none nat like shown in the attachement , for any source and any destination ..but it doesn't work

i try also to delete it , and the traffic don't pass neither

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to atelcom

‎07-08-2013 06:44 AM

i can't deploy it in vwire, cause i have to manage acces between internal zones

0 Likes Likes

Go to solution
kprakash
L5 Sessionator
In response to atelcom

‎07-08-2013 06:58 AM

Atelcom,

Can you attach the screenshots of the NAT policy and the security policy in question

BR,

Karthik RP

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to kprakash

‎07-08-2013 07:13 AM

currently i'm not at the customer and i can't access to the appliance

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to kprakash

‎07-15-2013 01:49 AM

Capture-pan.PNGCapture-rule-pan.PNG

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to atelcom

‎07-15-2013 01:51 AM

Capture-nat.PNG

t tried also this, but it still does'nt work .should i add another think like an additionnal route to get it work

0 Likes Likes

Go to solution
UhMayYeah
L5 Sessionator

‎07-15-2013 02:21 AM

In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.

Source-NAT on PA (if configured)  would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.

0 Likes Likes

Go to solution
atelcom
L3 Networker
In response to UhMayYeah

‎07-16-2013 05:30 AM

Hello Nadir,

thank's for your return it was very helpful, i added a return route in the frontal firewall, and all seems to work fine

but i didn't inderstand the concept, why it doesn't reconizne traffic , it must be stateful firewall so it keep session table

thank's in advance

0 Likes Likes

Go to solution
UhMayYeah
L5 Sessionator
In response to atelcom

‎07-16-2013 06:04 AM

As you have introduced a new L3 Device (PA FW) in the Network. The Frontal firewall does not know how to route back the return traffic.

Source-NAT on PA firewall was taking care of this return route earlier.

  • 1 accepted solution
  • 6690 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks