Hi @EMEA-FW ,
My ASA knowledge is so rusty I couldn't event say I understand it...However the example you gave seems like simple destination NAT. It could be configured as twice-NAT, but it is translating only the destination address (right?). Which in simple terms is destination static NAT.
For me personally Palo Alto NAT config is the most intuitive, ever. I will try to shake the dust from my ASA memories and try to breakdown the twice-NAT config command, we can interpred it in "more simple PAN words" 🙂
I have tried to map each part of the ASA command to the PAN GUI
Now there is a tricky part, in summary - for destination NAT on the Palo you need to use source and destination zone as "Internet":
- Palo Alto first evaluates the NAT, but apply it later in the process. Meaning received original packet, needs to match the NAT rule in order to be NATed later. Which means firewall will check which will be the destination zone based on the original destination IP. Since the original destination will be public IP, route lookup will identify "outside/Internet" zone as destination. At the same time traffic is received from internet, so the source zone will also be "Internet"
If this could help you, here is how your emaple NAT should look like on PAN firewall:
I want to take a step back and ask, why do you think Expedition has failed to convert all the NAT rules properly?
Can you share some examples for ASA NAT rule and how it was translated by the Expedition?
I would suggest you try the Expedition again. Let it do the durty work for all 600+ NAT rules. But you definately review them. I am hoping with above explanations you can easily identify if NAT rule was trasnlated correctly or not.
