So, definitely some good info, and I appreciate the feedback. This has been quite the rabbit hole to go down.
Long story short, the issue was that I needed the public facing IP to be present on the Untrust interface so that the firewall would have an arp entry for that address.
The way the ASA was configured, it just had a an IP of x.x.64.2/30 on it's outside interface. For NAT to work on the PA, any public IP that is to be NAT'd needs to be present on that interface. So, adding x.x.64.107 to the interface fixed it.... Learn something new every day 🙂
... View more
I recently swapped out my ASA for a PA450. Most everything is working, including most of the NAT policies. However, one seems to be giving me trouble.
Here's the old NAT from the ASA:
object network HTTS_out
nat (outside,inside) static 192.168.201.171
object network HTTPS_in
nat (inside,outside) static x.x.64.107
The policy I have on my PA looks something like this:
Source Zone - Untrust Destination Zone - Trust
Destination Interface - e1/1
Service - Any
Source Address Translation
Translation type - Static IP
Translation Address - WebServerInt_192.168.201.171
Bi-Directional is unchecked
Destination Address Translation
Translation Type - None
I have a second NAT policy for the opposite direction (yes, I tried with just one NAT policy to do bi-directional and it didn't work).
I can't send screenshots or anything as this is all on a classified environment.
By the way, I can see hits against the policies, and I can see the traffic being allowed when I look at the log. However, I see under Application "incomplete" and Session End Reason "aged-out"
Any assistance in this would be greatly appreciated.
... View more