no nat

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

no nat

L3 Networker

hello

i'am configuring a paloalto firwall wish is the backward firewall,

i'm facing problem with nat , users must be integrated in the frontal firewall

users passes by paloalto firewall first then the frontal firewall, when it pass by pan their adresses changes by nat , and the frontal firewall does'nt reconginze them ,wish is a hige problem

i tried to delete nat because the outside interface of pan is also a private adress , but traffic don't pass when i do this

so i want toknow if i can allow traffic to pass without nating , or if pan has someting called (no nat) like asa and juniper

please help me to figure it out

thank's in advance

1 accepted solution

Accepted Solutions

L5 Sessionator

In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.

Source-NAT on PA (if configured)  would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.

View solution in original post

10 REPLIES 10

L5 Sessionator

Hi Atelcom,

We do have an option to skip the NAT translation. You can specify the source address ( subnet ), the source Zone, The destination address ( subnet ) and the destination zone, and under the "Translated Packet section" select the translation type to "None", as shown in the attachment.

no-nat.JPG

This is as good as not configuring a NAT policy at all. So all you need is a security policy from the inside zone of the PANFW to the outside zone of the PANFW.

You could also have a v-wire deployment on the PANFW, if the PANFW isnt on the perimeter, and use it as an IPS.

Thanks and best regards,

Karthik RP

Hi ,

thank's for your return, i did try the none nat like shown in the attachement , for any source and any destination ..but it doesn't work

i try also to delete it , and the traffic don't pass neither

i can't deploy it in vwire, cause i have to manage acces between internal zones

Atelcom,

Can you attach the screenshots of the NAT policy and the security policy in question

BR,

Karthik RP

currently i'm not at the customer and i can't access to the appliance

Capture-pan.PNGCapture-rule-pan.PNG

Capture-nat.PNG

t tried also this, but it still does'nt work .should i add another think like an additionnal route to get it work

L5 Sessionator

In this case ,it seems PA firewall is acting a Pass-through in L3 mode and the upstream " frontal" firewall is taking care of source-NAT for internet traffic.

Source-NAT on PA (if configured)  would take care of the Return route to Inside Network, but if NAT is not needed,make sure the "frontal" firewall has a route to the LAN/inside network with PA as a next-hop.

Hello Nadir,

thank's for your return it was very helpful, i added a return route in the frontal firewall, and all seems to work fine

but i didn't inderstand the concept, why it doesn't reconizne traffic , it must be stateful firewall so it keep session table

thank's in advance

As you have introduced a new L3 Device (PA FW) in the Network. The Frontal firewall does not know how to route back the return traffic.

Source-NAT on PA firewall was taking care of this return route earlier.

  • 1 accepted solution
  • 6882 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!