This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

NAT Config

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT Config

Sanjay_Ramaiah
L4 Transporter

‎09-30-2024 03:36 AM

Hi Team,

In Checkp[oint we have an option to configure the dummy IPs in the NAT and use Proxy Arp to get it working. For example. 

Source: 10.10.10.1

Destination: 10.100.100.1(Dummy IP)

Translation:

Source: 172.16.10.1(Dummy IP)

Destination: 172.17.25.1

 

And then configure the Proxy Arp and get this NAT working. This kind of NAT are used only to avoid overlapping subnets in the source and Destination end.

 

May i know how this can be achieved in PaloAlto? I dont really see such options on configuring dummy subnets in the NAT and get it working.

 

Regards,

Sanjay S

0 Likes Likes
3 REPLIES 3

Raido_Rattameister
Cyber Elite
Cyber Elite

‎09-30-2024 09:26 AM

You are referring to traffic coming from Internet towards Palo?

You can have dummy IP as destination IP if traffic arrives to Palo (destination mac address in the packet is mac of Palo wan interface).

If traffic is not sent to Palo mac then for Palo to reply with proxy arp it needs IP to be configured on the wan interface (this check is strict starting from 10.2.8, before that it worked even without IP on wan interface).

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-policy-rules/proxy-arp...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Sanjay_Ramaiah
L4 Transporter
In response to Raido_Rattameister

‎10-04-2024 05:47 AM

Hi @Raido_Rattameister ,

No that is not the scenario. We have to NAT both Source and destination to avoid overlapping.

So it will be as below:

Original:

Source will have original IP

Destination will be Dummy IP

Tranlated:

Source will be Natted to dummy IP

Destination will translate to the original IP

 

In checkpoint we use the interface that will respond to Dummy IP will have the MAC ID responding to the Original Destination.

0 Likes Likes

Sanjay_Ramaiah
L4 Transporter
In response to Raido_Rattameister

‎10-08-2024 07:36 AM

Thank you @Raido_Rattameister 

I dont see the Dynamic NAT is working as expected. Basically Firewall is not proxing for the traffic. 

As i updated in the beginning here we need to NAT Source with the dummy range before reaching the destination. And Destination will be NATted with the dummy range.

 

From source side we will be pinging the Dummy Destination IP. In the Destination side we should be seeing the Dummy Source IP..

 

I reffered the Link and configured as same as that but it is still not working 😞

 

Regards,

Sanjay S

0 Likes Likes
  • 350 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks