Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
10-25-2016 02:00 PM - edited 10-25-2016 02:01 PM
You need to create a route for the additional subnet that needs the translations. If there isn't an entry in the routing table, the traffic will be dropped before the NAT is processed. If you look at the packet flow, a lookup is done early in the flow, before the actual forwarding is done. If the lookup fails, it gets dropped.
Have a look at this document on page 4 to see where the route lookup happens before NAT lookup.
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf
I've had to do this in a couple of locations. You can just create a dummy route for each host you need to NAT or a route for the entire subnet. The route doesn't even need to have a next hop address, just an entry. I typically use the untrust interface for forwarding.
Here is an example of one I have. (e1/1 is untrust) The 209 address is in the extra subnet that was assigned, not in the same network as the ISP facing interface.
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf interface ethernet1/1
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf metric 10
set network virtual-router default routing-table ip static-route Fake_Static_Vid-Conf destination 209.x.x.x/32
