This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About cullums
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About cullums
05-22-2023
2Posts
1Like
0Solutions
May 22, 2023Last Visited
User
Activity
User
Profile
Latest posts by cullums
| Subject | Views | Posted |
|---|---|---|
| 762 | 05-18-2023 03:17 PM | |
| 842 | 05-16-2023 04:27 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-18-2023 03:17 PM |
User Badges
Community Statistics
| Member Since | 05-10-2023 03:38 PM |
| Date Last Visited | 05-22-2023 08:13 AM |
| Posts | 2 |
| Total Likes Received | 1 |
05-18-2023
03:17 PM
1 Kudo
So, definitely some good info, and I appreciate the feedback. This has been quite the rabbit hole to go down.
Long story short, the issue was that I needed the public facing IP to be present on the Untrust interface so that the firewall would have an arp entry for that address.
The way the ASA was configured, it just had a an IP of x.x.64.2/30 on it's outside interface. For NAT to work on the PA, any public IP that is to be NAT'd needs to be present on that interface. So, adding x.x.64.107 to the interface fixed it.... Learn something new every day 🙂
... View more
05-16-2023
04:27 PM
I recently swapped out my ASA for a PA450. Most everything is working, including most of the NAT policies. However, one seems to be giving me trouble.
Here's the old NAT from the ASA:
object network HTTS_out
nat (outside,inside) static 192.168.201.171
object network HTTPS_in
nat (inside,outside) static x.x.64.107
The policy I have on my PA looks something like this:
Original Packet
Source Zone - Untrust Destination Zone - Trust
Destination Interface - e1/1
Service - Any
Source Address
WebServerExt_x.x.64.107
Destination Address
Any
Translated Packet
Source Address Translation
Translation type - Static IP
Translation Address - WebServerInt_192.168.201.171
Bi-Directional is unchecked
Destination Address Translation
Translation Type - None
----------------------------------
I have a second NAT policy for the opposite direction (yes, I tried with just one NAT policy to do bi-directional and it didn't work).
I can't send screenshots or anything as this is all on a classified environment.
By the way, I can see hits against the policies, and I can see the traffic being allowed when I look at the log. However, I see under Application "incomplete" and Session End Reason "aged-out"
Any assistance in this would be greatly appreciated.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks