10-31-2013 08:02 AM
Hello,
I did an upgrade from a 500 model to a 3020 model. All the configurations work just fine. The problem that I see is that I cannot test the nat-policy rules. I have the following configuration:
..
snat-all-LANs {
from inside;
source [ 172.30.0.0/15 192.168.0.0/16 ];
to outside;
to-interface ;
destination any;
service any/any/any;
translate-to "src: #.#.#.# (dynamic-ip-and-port) (pool idx: 1)";
terminal no;
..
when I do a test for the nat rule match it returns a no match result
PA-3020-CE-01> test nat-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 80 protocol 6
No rule matched
How can I find out why is there no match?
I have to mention that the NAT configuration works just fine.
Thanks,
Costin
10-31-2013 10:19 AM
Did a quick test on PA-3020 and PA-200 and the test nat-policy-match command worked fine for me. I used PAN-OS 5.0.6 and 5.0.8. What PAN-OS version are you running? Perhaps you can try adding more parameters in your test command such as from zone, etc. See if that makes a difference.
-Richard
10-31-2013 11:35 AM
Hello,
I have PAN-OS 5.0.6 installed on my device. I used for the test the source and destination zones and it identified the rule.
I also tested this on a 5050 with PAN-OS 5.0.3 and on this one the rule was identified by the "test nat-rule" without using zone parameters.
Is there any reason for this? (different OS?)
Thanks,
Costin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
