Static Source nat, two /24 subnets one to one

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Static Source nat, two /24 subnets one to one

L1 Bithead

I want to know if this is possible, make a Static Source NAT so that
source network last octet lets say 192.168.1.10 is translated to 10.1.1.10 then next host 192.168.1.11 is translated to 10.1.1.11 and this should happen always only natting last octet, so it does not get mixed and source nat to a different Ip that does not match the last octet.

Not sure if setting the NAT rule to:
Source Network 192.168.1.0/24 Source NAT 10.1.1.0/24

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @Carlos_N ,

 

Yes, that should work.  Because the NAT type is static, the last octect should stay the same.  This technique is most often used with overlapping subnets between organizations.  Please see example #5 (page 18) in this tech note -> https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/members_discuss/15121/1/TechNote....  (Some IP addresses look wrong in the pic, but are correct in the examples.)

 

Thanks,

 

Tom

 

Edit:  Hi @Carlos_N , My apologies.  I did not realize the URL was local.  I have corrected it.  Here is another example -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK.

 

It is interesting to note that these examples are found in older documents.  I see no mention of it here -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOLCA0.  Nonetheless, I think this is an essential feature, although rarely used.  I hope it is still available.

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hey Tom, many thanks for your help. Can you please share the pdf to my mail crnoel@gmail.com or other way. Im not able to access your local shares file:///Users/tomyoung/Downloads/TechNote_UnderstandingNAT.pdf

L5 Sessionator

Yes, we currently do a source NAT with a one-to-one where the last octet stays the same. The trick is that you use static NAT with equal size Original and Translated network subnets. So when you have an Original Packets inbound source network of 192.168.0.0/24, if you set Translated Packet source NAT Translation Type to "Static" with Translated Address to 10.0.0.0/24, then the last octet will remain the same as is is a one-to-one with equivalent subnets.

 

You can also shift inbound source IP subnets to different octets as it preserves to one-to-one based on the subnet size. We use this to map multiple small subnets into a larger continuous subnet, i.e.

192.168.0.0/26 -> 10.0.0.0/26

192.168.5.0/26 -> 10.0.0.64/26

192.168.10.0/26 -> 10.0.0.128/26.

L1 Bithead

Hi all, many thanks for the information! If my source networks are in smaller subnets of a /24, lets say /29 segments and in different source zones i can set the static source translation with one /24 and will still work the same or have to create  static source nat with one source zone and the smaller real subnet mask. Follow example with two source zones:

Example:

Source Zone Source Network Destination Zone Source Static Nat
Zone_One(192.168.1.0/29) 192.168.1.0/24 Zone_INET 10.1.1/24
Zone_Two(192.168.8.0/29)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!