This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Problem setting up a U-Turn NAT rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem setting up a U-Turn NAT rule

Go to solution
oschuler
L4 Transporter

‎06-20-2014 05:13 AM

Hi all,

While trying to setup LSVPN on our HQ Palo Alto device, we ran into a U-Turn NAT issue. Let me first explain the setup:

U-Turn NAT Example.png

We setup an OCSP responder using a loopback Interface on the PA firewall. The private IP address of that loopback interface is 10.99.99.1/32. The private IP is not being used outside the firewall. Instead, all "clients" in the External AND Trusted cloud connect to "ocsp.company.com" which resolves to 100.1.1.1 in both clouds.

Now access to "ocsp.company.com" from the External cloud is easy. That works well. However, so far we didn't manage to create a working U-Turn NAT rule for access from the Trusted cloud. Any ideas how this could be accomplished?

What we tried so far (not successful):

U-Turn NAT - rules.png

(We couldn't easily visualize the fake IP address in the "Source Translation" section in the first rule. But we tried with 10.1.1.1/24 as Source Translation IP.)

Thank you in advance.

Regards,

Oliver

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to oschuler

‎06-20-2014 07:32 AM

Hi Oliver

Did you add the loopback interface to the external zone ? You would normally not need to do source nat as the ip is located in a different zone, but you will need to make sure the nat rule you create is above your generic "outbound" nat so you don't do hide-nat when accessing this loopback

your nat rules should look like this more or less:

2014-06-20_16-31-35.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Go to solution
pulukas
L7 Applicator

‎06-20-2014 06:10 AM

Have you seen this example configuration on U Turn NAT walks through the process.

How to Configure U-Turn NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

Go to solution
oschuler
L4 Transporter
In response to pulukas

‎06-20-2014 06:19 AM

Yes, I've seen that. I also posted a comment on that post a while back 🙂

We do have other U-Turn NATs in place but none with a single-IP loopback interface...

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to oschuler

‎06-20-2014 07:32 AM

Hi Oliver

Did you add the loopback interface to the external zone ? You would normally not need to do source nat as the ip is located in a different zone, but you will need to make sure the nat rule you create is above your generic "outbound" nat so you don't do hide-nat when accessing this loopback

your nat rules should look like this more or less:

2014-06-20_16-31-35.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
pulukas
L7 Applicator
In response to oschuler

‎06-21-2014 04:42 AM

Just to confirm, I think your oscp.company.com resolves to the loopback address 10.99.99.1 in your diagram.

If so, I think your rules need to have 10.99.99.1 as the destination address and then put 100.1.1.1 as the translated destination.

keep the source translation as it is now.

You are basically doing a double nat on both source and destination to create the U-turn for your setup.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

Go to solution
oschuler
L4 Transporter
In response to reaper

‎07-02-2014 02:34 AM

Sorry for my late reply on this. I was too busy with other tasks unfortunately.

You're right tpiens, the loopback interface is in the External zone. When I removed the SNAT entry, it worked like a charm!

Thanks a lot for your hint.

0 Likes Likes

Go to solution
oschuler
L4 Transporter
In response to pulukas

‎07-02-2014 02:39 AM

Thank you for your post Steven. The DNS name "ocsp.company.com" resolves to an external IP on internal clients as well. We do have other situations where we actually do use the internal IP address of a loopback interface when we access it from a trusted zone. There we have Split-DNS active. On the setup described here we don't have Split-DNS available which finally caused the issue. Now that this is resolved we're good to go ahead.

0 Likes Likes

Go to solution
pulukas
L7 Applicator
In response to oschuler

‎07-02-2014 04:13 AM

Glad to hear you have this working.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 1 accepted solution
  • 5791 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks