02-03-2022 03:37 AM
Please read this URL, it explains the reason.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWBCA0
You have mentioned - "However as network C does not really exists in the environment", so on the firewall which does the source NAT from A to C, it doesn't have a route entry for subnet C.
The Palo Alto firewall uses its routing table to decided the destination zone of a connection.
When the inbound traffic hits the firewall, the traffic to subnet C will only match the default route.
The default route will point to your zone "untrust".
The inbound traffic to subnet C will then be classified as "destination zone - untrust" in your case.
So your inbound traffic will become -
============================
Source Zone: vpn
Destination Zone: untrust
============================
In the URL I have provided, please check the part "2.Destination NAT".
In your case, the Destination NAT rule created by "Bi-Directional NAT rule is -
============================
Source-Zone: ANY
Destination-Zone: vpn
============================
The reason is clear now, as destination-zone doesn't match, the inbound traffic will NOT be D-NATed.
The simplest way to resolve your issue is to add a static route for subnet C and point it to zone "vpn", it will resolve the issue.
After adding the static route for subnet C, your inbound traffic will match this route, so the destination zone will become "vpn".
In this way the issue will be resolved.
Thanks.
