Destination NAT tricks in Palo Alto…!

Why DNAT

Most of the network topology will be designed in such a way that all the servers available for public access will be placed in DMZ. DMZ is the militarized zone, which is the place all the traffic from the outside world gonna finally connect to.


In Palo Alto as far as I know its pretty simple. They have an amazing GUI which makes things to configure with ease and the debug commands are pretty cool and its  linux machine. 

Here I will tell you a simple trick I might say its stupid way of making the DNAT working, because I have to admit it. 

Here is the point, even when we are creating a DNAT rule specifying all the necessary fields in the tabs the rule might not hit by the traffics either we have to add the NAT pool IP in the interface of the public facing interface to work the NAT. Usually we will configure DNAT between untrust to untrust so when we are creating this NAt rule the firewall will do the proxy in which it will convey the neighbhouring device to reach the NAT IP this is my MAC which is the interface IP’s MAC. The problem here is with some device the rule won’t hit . Since the firewall doesn’t have any route information about the NAT IP and there is no interafce associated with the IP. So when the proxy ARP is not working things will be complicated. Eventhough if you are spending a lot of time troubleshooting it. Then you will finally end up at creating a support ticket with frustration.

The solution here is create a route to the public interface of the firewall telling that hey in order to reach the NAT IP forward this traffic to the the interface of the public facing IP address. If you configure this route and after doing a commit the NAT will hit without failing….! This is only happens with a few software codes I dont have the idea of the codes . But this will help you make the day better.

For more ; https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat

Thank you…!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *