06-05-2023 05:40 AM
Hi All,
When it comes to Static NAT it will be one to one NAT in vendors like Checkpoint and Cisco ASA. I am bit confused with the NAT configuration in Palo Alto. Went through config guide and examples of NAT as well but still confused.
We have a scenario as below.
We have 3 zones - WAN, LAN and DMZ.
Users want to reach DMZ interface from WAN and vice versa.
IP: 10.10.10.10 shd be translated to 1.1.1.2
WAN Int: 1.1.1.1/29
So ACL is configured as below:
WAN to DMZ Zones port 443 is allowed.
Src Int: WAN
Src: Any
Dst Int: DMZ
Dst: 1.1.1.2
Port: 443
Src Int: DMZ
Src: 10.10.10.10
Dst Int: WAN
Dst: Any
Port: 443
NAT:
Src Zone: DMZ
Dst Zone: WAN
Dst Int: WAN
Src Add: 10.10.10.10
Dst Add:Any
Src Trans: Static IP(1.1.1.2)Bi-directional
Dst Trans:none
Src Zone:WAN
Dst Zone: DMZ
Dst Int:DMZ
Src Add:Any
Dst Add:1.1.1.2
Src Trans:none
Dst Trans:dst-translation(10.10.10.10)
Is there anything wrong with this?
Though 1.1.1.2 is directly connected to WAN. Traffic from outside to 1.1.1.2 to is going to LAN interface instead of DMZ.
I am concerned with my NAT understanding in Palo.
Any suggestions on this would really help.
Regards,
Sanjay S
06-05-2023 06:24 AM
Hi @Sanjay_Ramaiah ,
That looks good. The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.
Could you give me the IP address/mask on the DMZ and LAN interfaces? I am curious why the traffic is going to the LAN interface also. Do you have other NAT rules above the ones you listed? I wonder if the traffic is hitting another rule.
Thanks,
Tom
06-05-2023 06:24 AM
Hi @Sanjay_Ramaiah ,
That looks good. The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.
Could you give me the IP address/mask on the DMZ and LAN interfaces? I am curious why the traffic is going to the LAN interface also. Do you have other NAT rules above the ones you listed? I wonder if the traffic is hitting another rule.
Thanks,
Tom
06-05-2023 07:57 AM
Hi Tom,
After further checking i see the same IP is being NATted to the different internal IP behind the LAN interface.
That NAT is on TOP of the NAT rule base which could be the reason for traffic going to LAN interface.
Thank you very much, i am bit confident now about the NATs in Palo after your confirmation.
Issue is not resolved, i have requested customer to provide me the unused IP in the same subnet and awaiting response. Will let the trail updated.
Regards,
Sanjay S
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
