cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

It is easy to do.

Customer buys another Palo.

Set up external firewall that will DNAT to 192.168.5.100 and internal firewall that will perform second DNAT and voila - 2x NAT is achieved 🙂

 

On more serious note for Palo to send traffic to 192.168.5.100 something needs to reply to arp on that IP.

If Palo has 192.168.5.100 configured on itself it will never send out arp requests for this IP.

 

You can set up packet capture filter and use "show counter global filter delta yes packet-filter yes" and see why packet is dropped.

If this is not enough then take flow basic logs.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Who rated this post