NGFW PA820 9.1.4 Strange NAT issue

Showing results for 
Show  only  | Search instead for 
Did you mean: 

NGFW PA820 9.1.4 Strange NAT issue

L1 Bithead

We have a simple basic setup:

WAN1/1 Untrust IP

LAN1/2 Trust IP

We NAT our WAN interface out to a different IP in the same network.

NAT POL  Trust to Untrust Int1/1 Any Any to  

Security Pol is Any Any 

I ping from the LAN1/1 and it NATs out correctly with the .90 address

Devices behind the firewall are not getting NAT'd out, I have pcap that shows this.  The pcap does not show the NAT'd IP just the trust traffic from the device to the LAN1/1 on both outbound and inbound traffic.


 I can also ping the ISP GW from the downstream devices so I can get traffic beyond the FW but nothing beyond that.


1 accepted solution

Accepted Solutions

L1 Bithead

Strange I updated the OS 9.1.4 to 9.1.5 rebooted and now it is working

View solution in original post


Cyber Elite
Cyber Elite


Take a look at your NAT policy and double check that you actually have it configured correctly. Your traffic logs are also going to be a help here, as you can expose the NAT Source IP field to see what the firewall actually NAT'd traffic to. Weird NAT issues are almost always a result of your NAT rulebase entry not being correctly formatted. 

L1 Bithead

"rule1; index: 1" {
nat-type ipv4;
from Trust;
source ;
to Untrust-ISP1;
to-interface ;
destination any;
service 0:any/any/any;
translate-to "src: (dynamic-ip-and-port) (pool idx: 11)";
terminal no;


Security Policy

"rule1; index: 1" {
from Trust;
source any;
source-region none;
to Untrust-ISP1;
destination any;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;

Can you check your default route? Since your zone is called untrusted-isp1, is there also an untrust-isp2?


Show routing fib virtual-router default | match

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Untrust-ISP2 is not connected nor is the Zone created:


show routing fib virtual-router VR-1 | match
[?1h= 805 ug ethernet1/1 1500

L1 Bithead

ame: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router VR-1
Interface MTU 1500
Interface IP address:
Interface management profile: no
Service configured: IKE
Zone: Untrust-ISP1, virtual system: vsys1
Adjust TCP MSS: no
Policing: no

Cyber Elite
Cyber Elite

everything looks ok...


if you start a ping out to the internet, can you check if the session ID of your outgoing ping to see which rules it hits etc:


show session all filter destination application ping

show session id xxx

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

I can ping the internet from the Trust interface but nothing behind it.  My pcap shows ping from the trust interface NATs out correctly but the ping from a the devices behind the FW do not NAT at all.  Ping source to host success,   Ping source host fails....aged out.  Basically no NAT from devices behind the Trust interface.


L1 Bithead

Strange I updated the OS 9.1.4 to 9.1.5 rebooted and now it is working

  • 1 accepted solution
  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!