@gwesson wrote: Just to be sure, you're saying: server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router? If that's correct, there are two ways I can think of offhand: 1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools 2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires (1.1.1.50) [e1/4]FW 2[e1/7] 10.10.10.11/24 <----> [e1/3]PAN[e1/7] 10.10.10.10/24 <---> [e1/3]PAN[e1/1] <---> Router Two Firewalls PAN and FW2 If i do a destination NAT on 1.1.1.50 to internal IP would the packet even make its way to ETH3? I cannot modify any IPs behind e1/3
... View more