Firewall Erroneously Replies to Arp Request for Every IP Within The Interface's Network After Adding Bi-directional Source NAT

Firewall Erroneously Replies to Arp Request for Every IP Within The Interface's Network After Adding Bi-directional Source NAT

360
Created On 01/29/23 21:53 PM - Last Modified 10/31/25 18:29 PM


Environment


  • All Panos
  • All Platforms

Cause


This issue can be caused by a misconfigured NAT policy in which the translated source IP includes the source mask of the interface
In the example below the translated IP is is 10.10.10.10 has a source mask of 24 and bi-directional is enabled
trans1.png

In this configuration, the firewall, in additional to applying a source NAT will also apply a destination NAT for 10.10.10.10
When a destination NAT is configured on the firewall, it will reply to arp requests made for any IP addresses within the Translated IP network.
In this example any arp requests made within the network 10.10.10.0/24 will cause the firewall to reply to these requests



 

Resolution


To resolve this issue ensure the translated IP includes only the intended host IP or a mask that will include all IP's that are expected to apply a destination NAT
In this example a host IP was intended so we remove the mask and configure only the host IP 10.10.10.10 
trans111.png
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sahJCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail