Understanding Static NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Static NAT

L4 Transporter

Hi All,

When it comes to Static NAT it will be one to one NAT in vendors like Checkpoint and Cisco ASA. I am bit confused with the NAT configuration in Palo Alto. Went through config guide and examples of NAT as well but still confused.

We have a scenario as below.

We have 3 zones - WAN, LAN and DMZ.

Users want to reach DMZ interface from WAN and vice versa.

IP: 10.10.10.10 shd be translated to 1.1.1.2

WAN Int: 1.1.1.1/29

So ACL is configured as below:

WAN to DMZ Zones port 443 is allowed.

Src Int: WAN

Src: Any

Dst Int: DMZ

Dst: 1.1.1.2

Port: 443

 

Src Int: DMZ

Src: 10.10.10.10

Dst Int: WAN

Dst: Any

Port: 443

 

NAT:

Src Zone: DMZ

Dst Zone: WAN

Dst Int: WAN

Src Add: 10.10.10.10

Dst Add:Any

Src Trans: Static IP(1.1.1.2)Bi-directional

Dst Trans:none

 

Src Zone:WAN

Dst Zone: DMZ

Dst Int:DMZ

Src Add:Any

Dst Add:1.1.1.2

Src Trans:none

Dst Trans:dst-translation(10.10.10.10)

 

Is there anything wrong with this?

 

Though 1.1.1.2 is directly connected to WAN. Traffic from outside to 1.1.1.2 to is going to LAN interface instead of DMZ.

I am concerned with my NAT understanding in Palo.

 

Any suggestions on this would really help. 

 

Regards,

Sanjay S

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Sanjay_Ramaiah ,

 

That looks good.  The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.

 

Could you give me the IP address/mask on the DMZ and LAN interfaces?  I am curious why the traffic is going to the LAN interface also.  Do you have other NAT rules above the ones you listed?  I wonder if the traffic is hitting another rule.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @Sanjay_Ramaiah ,

 

That looks good.  The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.

 

Could you give me the IP address/mask on the DMZ and LAN interfaces?  I am curious why the traffic is going to the LAN interface also.  Do you have other NAT rules above the ones you listed?  I wonder if the traffic is hitting another rule.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

After further checking i see the same IP is being NATted to the different internal IP behind the LAN interface.

That NAT is on TOP of the NAT rule base which could be the reason for traffic going to LAN interface.

 

Thank you very much, i am bit confident now about the NATs in Palo after your confirmation. 

Issue is not resolved, i have requested customer to provide me the unused IP in the same subnet and awaiting response. Will let the trail updated.

Regards,

Sanjay S

  • 1 accepted solution
  • 2081 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!