09-13-2016 12:59 PM
I'm currently working with PA support on this issue but I thought I would put this question out there for the community to see if anyone has had a similar problem. We are in the process of migrating from Juniper SSG firewalls to the PA-500 and the issue we have is when we attempt to migrate our ISP connection to the PA, we are no longer able to reach any of the NAT IPs of public facing servers. When we switch back to the Juniper, everything is reachable again.
Here is the scenario:
ISP has assigned us a /30 for the interface block so we have a 157.133.x.x/30 address. The actual block of usable public IPs they assigned to is in a 65.210.x.x/28 range. On the Juniper SSG, we assign MIP IPs (their term for NAT) under the interface configuration and then create an inbound rule for zone Untrust to DMZ. This solution works fine and there is nothing else special we need to do. On the Palo side, we have the NAT configurations defined in the policies but neither inbound nor oubound static NATs will respond. Is there anything special we need to configure on the PA-500 to make this solution work, i.e. gratuitous ARP, etc? How does the firewall know to respond for NAT IPs that are not physically defined on any interface?
We have a 2nd ISP that I connected and tested but their entire block assigned to us is a /24 so both the interfaces and public IPs are within the same subnet. This solution works fine since the Palo is able to respond to requests for those addresses. It's just the setup above with the NAT subnet being complete different than the interface /30 that the ISP assigned to us that is giving us some fits. Any suggestions or advice would be greatly appreciated.
