imagine this scenario:
Internet 188.8.131.52 PA 184.108.40.206 ---- 220.127.116.11 ROUTER 18.104.22.168/24 network
I am forwarding all packets received to 22.214.171.124 https to 126.96.36.199 https which then re-nat to 188.8.131.52/24 host
With a stupid dlink 50$ router instead of the PA, everything works. I just forward https to 184.108.40.206 and it works. with the Palo, no way.
In the Palo i have also have another network interface (say 220.127.116.11/24) and i forward other ports to hosts in the 18.104.22.168/24 and everything works, but if i forward to the 22.214.171.124 which then re-nat to 126.96.36.199, it does not work. And i cannot see any errors on the PALO.
I have done these configuration multiple times (i mean just publishing servers etc...). Any suggestions?
How do i troubleshoot NAT? is there a way to see the NAT translations on the PALO?
Did you make sure the [188.8.131.52/184.108.40.206/24] router has it's default gateway set to 220.127.116.11 and the 3.3.3.X host has default gw to the [18.104.22.168/22.214.171.124/24] router
would you mind sharing more details about your config ?
you could try setting a source/destination nat so behind the PANW the ip's would be src:126.96.36.199 dst:188.8.131.52 (to ensure 3.3.3.x knows how to route back
did you make sure to set the zones in your NAT rule as 'untrust to untrust' ?
zone membership is determined by looking at the routing table, so the pre-nat packet will have a source IP from the untrust zone (default gateway out to the internet) and a destination ip in the untrust zone (ip attached to the untrust interface)
security policy will still be untrust to trust, destination address still being pre-nat though
you can verify NAT being applied to a session by looking up the session information :
> show session id 2275 Session 2275 c2s flow: source: 198.51.100.10 [v1-untrust] dst: 198.51.100.1 proto: 17 sport: 53797 dport: 53 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.0.0.5 [lab] dst: 198.51.100.10 proto: 17 sport: 53 dport: 1472 state: INIT type: FLOW src user: unknown dst user: unknown start time : Fri Aug 19 14:21:21 2016 timeout : 31 sec total byte count(c2s) : 88 total byte count(s2c) : 143 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 1 vsys : vsys1 application : dns rule : dns-inbound session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : nat-in(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/1 egress interface : ethernet1/2 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out
thanks heaps for your answer.
Yes so router 184.108.40.206 has default route to 220.127.116.11, host on the 18.104.22.168/24 network have the right gateway. Please note that with a "dumb" router in which i simply create forward rules to 22.214.171.124 everything works. Basically the dumb router is configured exaclty as the Palo, but there is obviously something the Palo is doing more that is preventing that to work.
I have other destination NAT rules that are working on the same PALO (i know you have to define untrust/untrust in the destination NAT). The difference is that the destiation NAT that are working are going to an network directly attached to the PALO. In example:
126.96.36.199 PALO 188.8.131.52 ---- 184.108.40.206 host
the desintation NAT 220.127.116.11 to 18.104.22.168 WORKS in the PALO
what it does not work is the one originally posted so 22.214.171.124 PALO 126.96.36.199 --- 188.8.131.52 DUMBROUTER 184.108.40.206 ---- 220.127.116.11 Forwarding 18.104.22.168 to 22.214.171.124 which in turns forwards to 126.96.36.199 does not work. With a dumb router instead of the PALO which forwards packets received to 188.8.131.52 to 184.108.40.206 which in turns forward to 220.127.116.11 it works.
I am suspecting the PALO is not forwarding the same way the dumbrouter does and the patckets that the DUMBROUTER receives are different from what a "normal" router does.
Unfortunately i cannot share the config. If you have any other ideas, i can put in my queue but i have very limited time for testing as when we switch to the PALO we have very limited time to make things working before reverting back
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!