DotW: Unexpected Proxy ARP from NAT Policy

DotW: Unexpected Proxy ARP from NAT Policy

25723
Created On 09/25/18 19:02 PM - Last Modified 06/13/23 04:47 AM


Resolution


In this week's Discussion of the Week, we will be taking a closer look at a remark posted by user msullivan regarding proxy ARP and its expected behavior.

 

2016-06-13_13-14-21.jpg

 

Depending on the way NAT is configured on the Palo Alto Networks firewall, proxy ARP may act differently:

 

When a generic 'hide' NAT (many to one) policy is configured, the most straightforward option is to set the translation action to dynamic-ip-and-port and select the external interface.

 

Even though the interface may have been configured with a subnet mask, the NAT rule will limit all outbound NAT to be translated behind the firewall's interface IP as a /32 subnet. The advantage is that this type of rule is easy to configure and the MAC address should already be known by the upstream router by simple broadcast, as the interface will respond to ARP requests for its configured IP address.

2016-06-13_13-34-57.jpgThis policy will simply translate all sessions from trust to untrust behind 198.51.100.241 and assign a random source port.

 

Things change if the interface is not selected as a 'translation template', but a free subnet is entered by the administrator. 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSmCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language