U-turn Nat between isolated networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

U-turn Nat between isolated networks

L1 Bithead

Hey Guys and Gals

 

I am having an issue getting u-turn nat to work between two isolated networks on the same Palo.  I am basically tiring to allow Interanal clients to access a webcam server in a IoT network.  I think might issue might be that I need to add a Statement in my Virtual Route or a Policy Based Routing rule. Though the reality is that I probable made a simple error like putting in the wrong zone somewhere.  Both network live on a Palo Alto running Pan OS 8.1.  I've include a diagram and config below, the names and address have been changed to protect the innocent.  I add because I realize that the internal address might not be clear on the diagram.  10.0.x.254 is the internal ip address of the Palo Alto.  The internal gateway is 10.0.x.1.  I appreciate any help or insight people can provide, and I hope I provided enough information.

u-turn Nat.jpg

Nat Policy

Original Packet Tab

Source Zone = Corp Trust, Destination Zone = IoT Untrust, Destination Interface is Any, Service is TCP port 8889, Source Address = Any, Destination Address = 1.1.1.2 

Translated Packet Tab

Source Address Tranlation = Translation Type is Dynamic IP and Port, Address type is Interface Address, Interface is 2,

Destination Address Translation = Translation Type is Static IP, Translation Address is 10.0.10.200, translation port is 443

 

Security Policy

Source Zone is Corp Trust, Source Address is Any, Destination Zone is IoT Untrust, Destination address is 1.1.1.2, Service is 443, Action is Allow.

 

Virtual Routes Corp

Static Route

Destination 0.0.0.0/0 next hop 1.1.1.1

Destination 10.0.0.0/24 next hop 10.0.0.1

 

Virtual Route IoT

Destination 0.0.0.0/0 next hop 1.1.1.2

Destination 10.0.10.0/24 next hop 10.0.10.1

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

If the subnets are different, why use NAT? However if using NAT, did you configure it for 'bi-directional'? I have seen this cause an issue with routing since the packets are returned from different IP's.

 

Regards,

I need to nat the two different subnets.  The Corp network needs a dynamic nat so clients can access the internet.  The IoT network is using a 1 to many nat because we have multiple web cams and only 1 external ip address dedicated to that network.  Thats why I am nating.  I will check to make sure it is bi-directional but still trying to figure out how to route the traffic.

Cyber Elite
Cyber Elite

It sounds like you want the traffic to go out interface 1 and come in interface 3, correct?  Please confirm and I can show you what to fix.  Also, do you have 2 virtual routers?

Help the community: Like helpful comments and mark solutions.
  • 4122 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!