Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Static Source nat, two /24 subnets one to one

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Static Source nat, two /24 subnets one to one

L1 Bithead

I want to know if this is possible, make a Static Source NAT so that
source network last octet lets say 192.168.1.10 is translated to 10.1.1.10 then next host 192.168.1.11 is translated to 10.1.1.11 and this should happen always only natting last octet, so it does not get mixed and source nat to a different Ip that does not match the last octet.

Not sure if setting the NAT rule to:
Source Network 192.168.1.0/24 Source NAT 10.1.1.0/24

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @Carlos_N ,

 

Yes, that should work.  Because the NAT type is static, the last octect should stay the same.  This technique is most often used with overlapping subnets between organizations.  Please see example #5 (page 18) in this tech note -> https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/members_discuss/15121/1/TechNote....  (Some IP addresses look wrong in the pic, but are correct in the examples.)

 

Thanks,

 

Tom

 

Edit:  Hi @Carlos_N , My apologies.  I did not realize the URL was local.  I have corrected it.  Here is another example -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK.

 

It is interesting to note that these examples are found in older documents.  I see no mention of it here -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOLCA0.  Nonetheless, I think this is an essential feature, although rarely used.  I hope it is still available.

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hey Tom, many thanks for your help. Can you please share the pdf to my mail crnoel@gmail.com or other way. Im not able to access your local shares file:///Users/tomyoung/Downloads/TechNote_UnderstandingNAT.pdf

L6 Presenter

Yes, we currently do a source NAT with a one-to-one where the last octet stays the same. The trick is that you use static NAT with equal size Original and Translated network subnets. So when you have an Original Packets inbound source network of 192.168.0.0/24, if you set Translated Packet source NAT Translation Type to "Static" with Translated Address to 10.0.0.0/24, then the last octet will remain the same as is is a one-to-one with equivalent subnets.

 

You can also shift inbound source IP subnets to different octets as it preserves to one-to-one based on the subnet size. We use this to map multiple small subnets into a larger continuous subnet, i.e.

192.168.0.0/26 -> 10.0.0.0/26

192.168.5.0/26 -> 10.0.0.64/26

192.168.10.0/26 -> 10.0.0.128/26.

L1 Bithead

Hi all, many thanks for the information! If my source networks are in smaller subnets of a /24, lets say /29 segments and in different source zones i can set the static source translation with one /24 and will still work the same or have to create  static source nat with one source zone and the smaller real subnet mask. Follow example with two source zones:

Example:

Source Zone Source Network Destination Zone Source Static Nat
Zone_One(192.168.1.0/29) 192.168.1.0/24 Zone_INET 10.1.1/24
Zone_Two(192.168.8.0/29)

L1 Bithead

Also what happen if I have different destination zones so the static nat to happen. Can I have one rule with many source networks and many destination zones, with one source network /24 and one source static translation /24? 

 

Thanks!

Hi @Carlos_N ,

I believe you should be able to do it this way - one NAT rule listing all source zones and applying static translation to /24. The important note is that you must use summary /24 object and put it as source address, instead of listing individual /29.

The key here is that source address must be with exact prefix length as the static source translation, it doesn't really matter what is the source zone (as long as it matches the rule), so it shouldn't be a problem to list multiple source zones in one NAT rule.

L1 Bithead

Sorry One more doubt as I have many destination zones, what if I put any on destination zone, what i need is no matter what is the destination zone the source network 192.168.1.0/24 or all the smaller subnets /29 get translated to static 10.1.1.0/24 only changing last octet. Can I make this on one NAT rule.

L6 Presenter

Yes, you can have one or more source networks and a destination network of "any" to make it a single rule (I haven't tried it for a one-to-one source NAT, I use multiple NAT rules for each source subnet, but I believe it should work). As @aleksandar.astardzhiev said it is critical that source network and translated source address have identical prefix lengths.

 

Just be aware that sometimes having a destination of "any" can have unexpected outcomes if you have many zones and other NATs (i.e. you are routing multiple external/internal/guest network zones to your DMZ zone and need the DMZ reply to route to the correct path).

L1 Bithead

Many thanks Adrian and Aztardzhiev, I will use multiple source and destination zones for this static nat. I will test it this saturday and will let you know how it went.

Cheers

  • 4538 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!