NAT Config

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT Config

L4 Transporter

Hi Team,

In Checkp[oint we have an option to configure the dummy IPs in the NAT and use Proxy Arp to get it working. For example. 

Source: 10.10.10.1

Destination: 10.100.100.1(Dummy IP)

Translation:

Source: 172.16.10.1(Dummy IP)

Destination: 172.17.25.1

 

And then configure the Proxy Arp and get this NAT working. This kind of NAT are used only to avoid overlapping subnets in the source and Destination end.

 

May i know how this can be achieved in PaloAlto? I dont really see such options on configuring dummy subnets in the NAT and get it working.

 

Regards,

Sanjay S

3 REPLIES 3

Cyber Elite
Cyber Elite

You are referring to traffic coming from Internet towards Palo?

You can have dummy IP as destination IP if traffic arrives to Palo (destination mac address in the packet is mac of Palo wan interface).

If traffic is not sent to Palo mac then for Palo to reply with proxy arp it needs IP to be configured on the wan interface (this check is strict starting from 10.2.8, before that it worked even without IP on wan interface).

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-policy-rules/proxy-arp...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister ,

No that is not the scenario. We have to NAT both Source and destination to avoid overlapping.

So it will be as below:

Original:

Source will have original IP

Destination will be Dummy IP

Tranlated:

Source will be Natted to dummy IP

Destination will translate to the original IP

 

In checkpoint we use the interface that will respond to Dummy IP will have the MAC ID responding to the Original Destination.

Thank you @Raido_Rattameister 

I dont see the Dynamic NAT is working as expected. Basically Firewall is not proxing for the traffic. 

As i updated in the beginning here we need to NAT Source with the dummy range before reaching the destination. And Destination will be NATted with the dummy range.

 

From source side we will be pinging the Dummy Destination IP. In the Destination side we should be seeing the Dummy Source IP..

 

I reffered the Link and configured as same as that but it is still not working 😞

 

Regards,

Sanjay S

  • 377 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!