Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

L1 Bithead

Hi Experts ,

 

We have twice nat rules (nearly 608 NAT rules) configured on ASA FW and we are planning to refresh them with Palo Alto 5020 soon.Below is one the NAT rule of ASA FW.

 

nat (Internet,Inside) source static any any destination static h-197.29.23.83 h-10.30.2.74 unidirectional

 

I would like to know what kind of nat rule(s) we should have on Palo alto FW so that translation happens properly for the above mentioned NAT rule.

 

Timely reply would be highly appreciated as i need to configure 608 NAT rules on Palo Alto FW.

We have used expedition tool to convert ASA FW configuration to Palo Alto , however we are suspecting that twice NAT of ASA FW is not converted properly using Expedition tool.

Hari
1 accepted solution

Accepted Solutions

Hi @EMEA-FW ,

 

My ASA knowledge is so rusty I couldn't event say I understand it...However the example you gave seems like simple destination NAT. It could be configured as twice-NAT, but it is translating only the destination address (right?). Which in simple terms is destination static NAT.

 

For me personally Palo Alto NAT config is the most intuitive, ever. I will try to shake the dust from my ASA memories and try to breakdown the twice-NAT config command, we can interpred it in "more simple PAN words" 🙂

 

 I have tried to map each part of the ASA command to the PAN GUI

Astardzhiev_1-1664486662555.png

 

 

Now there is a tricky part, in summary  - for destination NAT on the Palo you need to use source and destination zone as "Internet":

- Palo Alto first evaluates the NAT, but apply it later in the process. Meaning received original packet, needs to match the NAT rule in order to be NATed later. Which means firewall will check which will be the destination zone based on the original destination IP. Since the original destination will be public IP, route lookup will identify "outside/Internet" zone as destination. At the same time traffic is received from internet, so the source zone will also be "Internet"

 

If this could help you, here is how your emaple NAT should look like on PAN firewall:

Astardzhiev_2-1664487271029.png

 

 

I want to take a step back and ask, why do you think Expedition has failed to convert all the NAT rules properly?

Can you share some examples for ASA NAT rule and how it was translated by the Expedition?

 

I would suggest you try the Expedition again. Let it do the durty work for all 600+ NAT rules. But you definately review them. I am hoping with above explanations you can easily identify if NAT rule was trasnlated correctly or not.

 

View solution in original post

2 REPLIES 2

Hi @EMEA-FW ,

 

My ASA knowledge is so rusty I couldn't event say I understand it...However the example you gave seems like simple destination NAT. It could be configured as twice-NAT, but it is translating only the destination address (right?). Which in simple terms is destination static NAT.

 

For me personally Palo Alto NAT config is the most intuitive, ever. I will try to shake the dust from my ASA memories and try to breakdown the twice-NAT config command, we can interpred it in "more simple PAN words" 🙂

 

 I have tried to map each part of the ASA command to the PAN GUI

Astardzhiev_1-1664486662555.png

 

 

Now there is a tricky part, in summary  - for destination NAT on the Palo you need to use source and destination zone as "Internet":

- Palo Alto first evaluates the NAT, but apply it later in the process. Meaning received original packet, needs to match the NAT rule in order to be NATed later. Which means firewall will check which will be the destination zone based on the original destination IP. Since the original destination will be public IP, route lookup will identify "outside/Internet" zone as destination. At the same time traffic is received from internet, so the source zone will also be "Internet"

 

If this could help you, here is how your emaple NAT should look like on PAN firewall:

Astardzhiev_2-1664487271029.png

 

 

I want to take a step back and ask, why do you think Expedition has failed to convert all the NAT rules properly?

Can you share some examples for ASA NAT rule and how it was translated by the Expedition?

 

I would suggest you try the Expedition again. Let it do the durty work for all 600+ NAT rules. But you definately review them. I am hoping with above explanations you can easily identify if NAT rule was trasnlated correctly or not.

 

Hi Astardzhiev ,

 

Your explanation is simply superb and my doubt got cleared.Reworked on expedition and NAT rules are properly converted now.

I've one more question related to QoS on PA FW.We have QoS configured on ASA FW and it needs to be migrated to Palo Alto Firewall.

Below is the configuration of Cisco ASA FW.

 

access-list TEST_1 extended permit tcp any object-group NetGrp.TEST.Prod.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.TEST.OS.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.DC1.Prod.Servers
access-list TEST_1 extended permit tcp any object-group NetGrp.DC1.OS.Servers

object-group network NetGrp.TEST.Prod.Servers
network-object host 10.10.10.250
network-object 10.10.40.0 255.255.254.0

object-group network NetGrp.TEST.OS.Servers
network-object host 20.20.20.1
network-object host 20.20.20.2


object-group network NetGrp.DC1.Prod.Servers
network-object host 30.30.30.1
network-object host 30.30.30.2

object-group network NetGrp.DC1.OS.Servers
network-object host 40.40.40.1
network-object host 40.40.40.2


class-map DCD
match access-list TEST_1
class-map inspection_default
match default-inspection-traffic


policy-map global_policy
description TCP_Values
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class DCD
set connection timeout idle 1:00:00 reset dcd 0:15:00 5
class class-default
user-statistics accounting

service-policy global_policy global

 

 

Hari
  • 1 accepted solution
  • 3041 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!