cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

U-turn Nat between isolated networks

L1 Bithead

Hey Guys and Gals

 

I am having an issue getting u-turn nat to work between two isolated networks on the same Palo.  I am basically tiring to allow Interanal clients to access a webcam server in a IoT network.  I think might issue might be that I need to add a Statement in my Virtual Route or a Policy Based Routing rule. Though the reality is that I probable made a simple error like putting in the wrong zone somewhere.  Both network live on a Palo Alto running Pan OS 8.1.  I've include a diagram and config below, the names and address have been changed to protect the innocent.  I add because I realize that the internal address might not be clear on the diagram.  10.0.x.254 is the internal ip address of the Palo Alto.  The internal gateway is 10.0.x.1.  I appreciate any help or insight people can provide, and I hope I provided enough information.

u-turn Nat.jpg

Nat Policy

Original Packet Tab

Source Zone = Corp Trust, Destination Zone = IoT Untrust, Destination Interface is Any, Service is TCP port 8889, Source Address = Any, Destination Address = 1.1.1.2 

Translated Packet Tab

Source Address Tranlation = Translation Type is Dynamic IP and Port, Address type is Interface Address, Interface is 2,

Destination Address Translation = Translation Type is Static IP, Translation Address is 10.0.10.200, translation port is 443

 

Security Policy

Source Zone is Corp Trust, Source Address is Any, Destination Zone is IoT Untrust, Destination address is 1.1.1.2, Service is 443, Action is Allow.

 

Virtual Routes Corp

Static Route

Destination 0.0.0.0/0 next hop 1.1.1.1

Destination 10.0.0.0/24 next hop 10.0.0.1

 

Virtual Route IoT

Destination 0.0.0.0/0 next hop 1.1.1.2

Destination 10.0.10.0/24 next hop 10.0.10.1

 

Who Me Too'd this topic