Enable Infrastructure Traffic Source NAT, traffic originated from the SC SPN itself will be excluded from NAT
250
Created On 06/07/23 08:13 AM - Last Modified 10/31/25 18:50 PM
Symptom
We have Enable Infrastructure Traffic Source NAT option available for SC on innovation version.
Enable Infrastructure Traffic Source NAT—Performs NAT on addresses from the Infrastructure Subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/create-a-service-connection We found that Infra IP from other SPN got Source NATed, but the Infra IP from the SPN itself is not NATed.
Environment
Prisma Access 3.2 inovation
Cause
When you enable this option on SC, there will be two NAT rules added to the SC SPN.
"GPCS-sc-loopback-no-nat-rule; index: 3" {
nat-type ipv4;
from [ trust inter-fw ];
source <loopback ip address of itself>;
source-region none;
to trust;
to-interface ;
destination any;
destination-region none;
service 0:any/any/any;
connected-gw-ip ::
terminal no;
}
"GPCS-infra-sc-nat-rule; index: 5" {
nat-type ipv4;
from [ trust inter-fw ];
source <Infra IPs>;
source-region none;
to trust;
to-interface ;
destination any;
destination-region none;
service 0:any/any/any;
connected-gw-ip ::
translate-to "src: <IP range in the pool> (dynamic-ip-and-port) (pool idx:
6)";
terminal no;
}
Resolution
The Source NAT of the SPN itself is excluded because some tunnel monitor will use this IP address, so we need to exclude it from being NATed.
The option is working for Infra IP from RNs, MU GWs, usually we don't expect SC running any secure policy, so the impact should be trival.