Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PBF with NAT, how does it works?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PBF with NAT, how does it works?

Not applicable

Hi Guys

According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone & interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess.

Thank you very much.

4 REPLIES 4

L6 Presenter

Would any of these docs be of any help?

Understanding PAN-OS NAT

https://live.paloaltonetworks.com/docs/DOC-1517

Packet Flow in PAN-OS

https://live.paloaltonetworks.com/docs/DOC-1628

L7 Applicator

Hello,

PBF lookup happens in pre-NAT IP address. Also in PAN firewall NAT evaluate at first with original IP but Apply at the end of flow.

Packet flow on PAN firewall:-

packet-flow.JPG.jpg

Few more information regarding the same.

Fowarding

Testing Security, NAT and PBF Rules via the CLI

Inbound NAT Policy with Outbound PBF Causing IP-Spoofing Drops

NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Packet Flow in PAN-OS

Hope this helps.

Thanks

Not applicable

Thanks a lot . I'll read these document. Hava a nice day!

L1 Bithead

Sorry to revive this 10 years later. Documentation is not specific enough for me. But in my experience:

  •  If there is Dest NAT there will be a second routing lookup, that will include a second PBF lookup. To be clear, the moment there is Dest NAT it will ignore all previous PBF/routing lookups and evaluate both again.
  • The IP addresses used in the second routing/PBF lookup are: PRE-NAT source, and POST-NAT destination.

 

As I said, official documentation is quite good, but I missed those specific issues.

  • 9842 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!