This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PBF with NAT, how does it works?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PBF with NAT, how does it works?

JTR
Not applicable

‎09-05-2013 10:27 PM

Hi Guys

According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone & interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess.

Thank you very much.

Labels:
0 Likes Likes
4 REPLIES 4

mikand
L6 Presenter

‎09-05-2013 10:34 PM

Would any of these docs be of any help?

Understanding PAN-OS NAT

https://live.paloaltonetworks.com/docs/DOC-1517

Packet Flow in PAN-OS

https://live.paloaltonetworks.com/docs/DOC-1628

0 Likes Likes

HULK
L7 Applicator

‎09-05-2013 11:23 PM

Hello,

PBF lookup happens in pre-NAT IP address. Also in PAN firewall NAT evaluate at first with original IP but Apply at the end of flow.

Packet flow on PAN firewall:-

packet-flow.JPG.jpg

Few more information regarding the same.

Fowarding

Testing Security, NAT and PBF Rules via the CLI

Inbound NAT Policy with Outbound PBF Causing IP-Spoofing Drops

NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Packet Flow in PAN-OS

Hope this helps.

Thanks

JTR
Not applicable
In response to HULK

‎09-06-2013 12:05 AM

Thanks a lot . I'll read these document. Hava a nice day!

0 Likes Likes

AGrijalba
L1 Bithead

‎04-30-2024 07:47 AM - edited ‎04-30-2024 08:02 AM

Sorry to revive this 10 years later. Documentation is not specific enough for me. But in my experience:

  •  If there is Dest NAT there will be a second routing lookup, that will include a second PBF lookup. To be clear, the moment there is Dest NAT it will ignore all previous PBF/routing lookups and evaluate both again.
  • The IP addresses used in the second routing/PBF lookup are: PRE-NAT source, and POST-NAT destination.

 

As I said, official documentation is quite good, but I missed those specific issues.

0 Likes Likes
  • 9840 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks