Issue with ARP when using Bi-directional NAT with a Static Source Translation Address

Issue with ARP when using Bi-directional NAT with a Static Source Translation Address

31307
Created On 09/25/18 17:52 PM - Last Modified 05/01/25 22:41 PM


Symptom


In this configuration, the Palo Alto Networks device responds to an ARP reply from two different interfaces for the same IP. For Destination NAT, only the source zone and original un-translated IP address are checked to see if the parameters match the NAT rule.

Environment


  • Palo Alto Firewalls
  • PAN-OS 7.x
  • Bidirectional NAT

Cause


  • There is no check to see if the destination zone matches the rule since it will require an extra route lookup.
  • If both zone interfaces can receive the ARP request, then both will respond with ARP reply.

Resolution


  1. The workaround for this issue is to replace the bi-directional NAT rule with separate Source and Destination NAT rules.
  2. In the Destination NAT rule, the source zone needs to be explicitly specified.

Additional Information


What does the Bi-Directional NAT Feature Provide?

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLNCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language