Error message: “Mismatch of destination address translation range between original address and translated address” seen when configuring destination NAT.
17495
Created On 12/29/21 10:25 AM - Last Modified 09/29/23 11:11 AM
Symptom
When there is a mismatch in the number of IP or subnets or range of addresses between original and translated packets while configuring destination NAT with static IP translation.
For example:
GUI: Policies > Nat >Original Packet
GUI: Policies > Nat >Translated Packet
The above configuration will lead to the following error
Environment
- Palo Alto Firewall.
- Any PAN-OS.
- Destination NAT.
Cause
- When the translation type is set to static in the translation type section, a one-to-one mapping is done in the firewall while translating.
- Admin can specify that the original packet have a single destination IP address, a range of IP addresses, or an IP netmask, as long as the translated packet is in the same format and specifies the same number of IP addresses.
Resolution
- Change the translation type from Static to Dynamic IP (with session distribution) for many-to-one destination NAT.
Below is the working setup for Destination NAT with Dynamic IP(with session distribution)
GUI: Policies > Nat >Translated Packet
GUI: Policies > Nat >Translated Packet
GUI: Policies > Nat >Translated Packet
GUI: Policies > Nat >Translated Packet
- As this is a many-to-one translation the Session Distribution Method will not have an effect.
- The Session Distribution Method works when the translated IP is a range or multiple IP addresses.