- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-08-2013 02:46 AM
hello
i'am configuring a paloalto firwall wish is the backward firewall,
i'm facing problem with nat , users must be integrated in the frontal firewall
users passes by paloalto firewall first then the frontal firewall, when it pass by pan their adresses changes by nat , and the frontal firewall does'nt reconginze them ,wish is a hige problem
i tried to delete nat because the outside interface of pan is also a private adress , but traffic don't pass when i do this
so i want toknow if i can allow traffic to pass without nating , or if pan has someting called (no nat) like asa and juniper
please help me to figure it out
thank's in advance
07-15-2013 02:21 AM
In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.
Source-NAT on PA (if configured) would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.
07-08-2013 05:45 AM
Hi Atelcom,
We do have an option to skip the NAT translation. You can specify the source address ( subnet ), the source Zone, The destination address ( subnet ) and the destination zone, and under the "Translated Packet section" select the translation type to "None", as shown in the attachment.
This is as good as not configuring a NAT policy at all. So all you need is a security policy from the inside zone of the PANFW to the outside zone of the PANFW.
You could also have a v-wire deployment on the PANFW, if the PANFW isnt on the perimeter, and use it as an IPS.
Thanks and best regards,
Karthik RP
07-08-2013 06:43 AM
Hi ,
thank's for your return, i did try the none nat like shown in the attachement , for any source and any destination ..but it doesn't work
i try also to delete it , and the traffic don't pass neither
07-08-2013 06:44 AM
i can't deploy it in vwire, cause i have to manage acces between internal zones
07-08-2013 06:58 AM
Atelcom,
Can you attach the screenshots of the NAT policy and the security policy in question
BR,
Karthik RP
07-08-2013 07:13 AM
currently i'm not at the customer and i can't access to the appliance
07-15-2013 01:51 AM
t tried also this, but it still does'nt work .should i add another think like an additionnal route to get it work
07-15-2013 02:21 AM
In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.
Source-NAT on PA (if configured) would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.
07-16-2013 05:30 AM
Hello Nadir,
thank's for your return it was very helpful, i added a return route in the frontal firewall, and all seems to work fine
but i didn't inderstand the concept, why it doesn't reconizne traffic , it must be stateful firewall so it keep session table
thank's in advance
07-16-2013 06:04 AM
As you have introduced a new L3 Device (PA FW) in the Network. The Frontal firewall does not know how to route back the return traffic.
Source-NAT on PA firewall was taking care of this return route earlier.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!