Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
NAT policies stop working after upgrading to PAN-OS 10.2.8 or l... - Knowledge Base - Palo Alto Networks

NAT policies stop working after upgrading to PAN-OS 10.2.8 or later

19979
Created On 03/26/24 22:21 PM - Last Modified 02/20/25 21:29 PM


Symptom


  • Configured NAT address pools are not bound to any interface on Firewall.
  • Upstream router displays the correct ARP entry for Firewall IP address. 
  • Upstream router does not display any ARP entries for a firewall IP address that is part of the NAT pool which are the address not bound to any firewall interface.
  • ARP packet capture shows the ARP requests from upstream being dropped. Refer How to capture ARP packets  

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.2.8 and above
  • PAN-OS 11.1.0 and above
  • Network Address Translation (NAT)

Cause


  • In PAN-OS 10.2.8 strict checking for proxy-arp for NAT translated IPs is enforced.
  • Firewall will only send an ARP reply for a NAT pool IP if the target IP in the ARP request and the ingress interface IP are in the same subnet.
Expected Behavior:
  • NAT address pools are not bound to any interfaces. The following figure illustrates the behavior of the firewall when it is performing proxy ARP for an address in a NAT address pool
Strict_NAT_Check_size-8.jpg
  • The firewall performs source NAT for a client, translating the source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2. The translated packet is sent on to a router.
  • For the return traffic, the router does not know how to reach 192.168.2.2 (because that IP is just an address in the NAT address pool), so it sends an ARP request to the firewall.
    • If the address pool address 192.168.2.2 is in the same subnet as the egress / ingress interface IP 192.168.2.3/24, the firewall sends a proxy ARP reply to the router, indicating the Layer 2 MAC address of that IP.
    • If the address pool IP is not part of a subnet on an interface on the FW, the firewall will not send a proxy ARP reply to the router.

 
 

Resolution


  1. Ensure NAT address pool addresses are bound to an interface, that is, in the same subnet as the interface IP address. (If there is more than one network connected to untrust/NAT interface, configure a secondary IP address on the untrust interface with an applicable subnet)
  2. If the NAT pool address cannot be part of the same subnet as an interface address, create a route in the upstream router for that address. 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,860
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xi04CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language