- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-24-2019 11:41 AM
Hey Guys and Gals
I am having an issue getting u-turn nat to work between two isolated networks on the same Palo. I am basically tiring to allow Interanal clients to access a webcam server in a IoT network. I think might issue might be that I need to add a Statement in my Virtual Route or a Policy Based Routing rule. Though the reality is that I probable made a simple error like putting in the wrong zone somewhere. Both network live on a Palo Alto running Pan OS 8.1. I've include a diagram and config below, the names and address have been changed to protect the innocent. I add because I realize that the internal address might not be clear on the diagram. 10.0.x.254 is the internal ip address of the Palo Alto. The internal gateway is 10.0.x.1. I appreciate any help or insight people can provide, and I hope I provided enough information.
Nat Policy
Original Packet Tab
Source Zone = Corp Trust, Destination Zone = IoT Untrust, Destination Interface is Any, Service is TCP port 8889, Source Address = Any, Destination Address = 1.1.1.2
Translated Packet Tab
Source Address Tranlation = Translation Type is Dynamic IP and Port, Address type is Interface Address, Interface is 2,
Destination Address Translation = Translation Type is Static IP, Translation Address is 10.0.10.200, translation port is 443
Security Policy
Source Zone is Corp Trust, Source Address is Any, Destination Zone is IoT Untrust, Destination address is 1.1.1.2, Service is 443, Action is Allow.
Virtual Routes Corp
Static Route
Destination 0.0.0.0/0 next hop 1.1.1.1
Destination 10.0.0.0/24 next hop 10.0.0.1
Virtual Route IoT
Destination 0.0.0.0/0 next hop 1.1.1.2
Destination 10.0.10.0/24 next hop 10.0.10.1