NAT Troubleshooting
paloalto nat troubleshooting networking
NAT Processing Order
1. Destination NAT (on ingress)
2. Security Policy lookup (post-DNAT addresses)
3. Source NAT (on egress)
Key Point: Security policy sees post-DNAT destination but pre-SNAT source.
NAT Types
| Type | Use Case | Direction |
|---|---|---|
| Source NAT | Hide internal IPs, outbound internet | Outbound |
| Destination NAT | Expose internal servers, port forwarding | Inbound |
| U-Turn NAT | Hairpin, internal to internal via public IP | Internal |
| Bi-Directional | Static 1:1 mapping both directions | Both |
CLI Commands
View NAT Rules
# Show NAT policy (configured)
show running nat-policy
# Show NAT rules by type
show running nat-policy type source-nat
show running nat-policy type destination-nat
# Show specific rule
show running nat-policy rule <rule-name>View NAT Rule Hit Counts
# All NAT rules
show rule-hit-count vsys <vsys> nat rules all
# Specific rule
show rule-hit-count vsys <vsys> nat rules <rule-name>View Active NAT Sessions
# All NAT sessions
show session all filter nat any
# Source NAT sessions
show session all filter nat source
# Destination NAT sessions
show session all filter nat destination
# Sessions for specific translated IP
show session all filter destination-nat-ip <IP>
show session all filter source-nat-ip <IP>Check NAT Pool Utilization
# Show dynamic IP pool usage
show running ippool
# Show specific pool
show running resource-pool <pool-name>
# Dynamic IP and Port (DIPP) stats
show counter global filter delta yes | match dippTroubleshooting Workflow
Step 1: Verify NAT Rule Match
# Check if NAT rule is hit
show rule-hit-count vsys vsys1 nat rules allIf hit count is 0:
- Check zone matching (source-zone, destination-zone)
- Check address matching (original packet addresses)
- Check service matching (original destination port)
Step 2: Verify Session Creation
# Find session for traffic
show session all filter source <src-ip> destination <dst-ip>
# Check session details
show session id <session-id>Look for:
nat-source- Source translation appliednat-dst- Destination translation appliednat-sport- Translated source portnat-dport- Translated destination port
Step 3: Check Counter for Errors
# NAT-related counters
show counter global filter category nat severity drop
# All NAT counters
show counter global filter delta yes | match natCommon error counters:
| Counter | Meaning |
|---|---|
nat_noroute | No route to translated destination |
nat_alloc_fail | IP/port allocation failed |
nat_resource_unavail | NAT resources exhausted |
nat_bidir_conflict | Bi-directional NAT conflict |
Common Issues
Issue: Source NAT Not Applied
Symptoms: Sessions show no nat-source
Check:
# Verify source NAT rule
show running nat-policy type source-nat
# Check rule order (first match wins)
show running nat-policyCommon causes:
- Rule not matching (zone, address, service)
- Another rule matching first
- No-NAT rule matching
Issue: Destination NAT Not Working
Symptoms: Inbound connections fail, no sessions
Check:
# Verify DNAT rule
show running nat-policy type destination-nat
# Check security policy (uses post-DNAT destination)
show running security-policy from <zone> to <zone>Common causes:
- Security policy uses pre-DNAT address (should be post-DNAT)
- Missing return route for translated traffic
- DNAT rule not matching service (port)
Issue: NAT Pool Exhausted
Symptoms: New connections fail, nat_alloc_fail counter increasing
Check:
# Check pool usage
show running ippool
# Check DIPP oversubscription
show counter global filter delta yes | match dippSolutions:
- Add more IPs to NAT pool
- Use larger port range
- Enable port oversubscription
- Reduce session timeouts
Issue: Hairpin/U-Turn NAT Not Working
Scenario: Internal client → Public IP → Internal server (same firewall)
Requirements:
- Destination NAT rule: public-ip → internal-server-ip
- Source NAT rule: client-ip → firewall-interface-ip (for return traffic)
- Security rule: Allow internal-zone → internal-zone
┌─────────┐ ┌──────────┐ ┌────────────┐
│ Client │ ───> │ Firewall │ ───> │ Server │
│ 10.1.1.5│ │ │ │ 10.1.1.100 │
└─────────┘ └──────────┘ └────────────┘
│ ▲
└───────── 203.0.113.50 ───────────┘
(Public IP)
NAT Rules needed:
- DNAT: dst 203.0.113.50 → 10.1.1.100
- SNAT: src 10.1.1.0/24 → egress-interface (for return path)
Issue: Asymmetric Routing
Symptoms: Sessions time out, TCP RSTs
Check:
show session all filter source <ip> state discard
show counter global filter delta yes | match flow_tcpSolutions:
- Enable asymmetric path support (if appropriate)
- Fix routing to ensure symmetric paths
- Configure zone protection for asymmetric traffic
NAT Rule Examples
Outbound SNAT (Internet Access)
# Hide internal behind interface IP
set rulebase nat rules outbound-snat from trust to untrust source any destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1Inbound DNAT (Port Forwarding)
# Forward HTTPS to internal server
set rulebase nat rules inbound-https from untrust to untrust source any destination <public-ip> service service-https destination-translation translated-address 10.1.1.100 translated-port 443Static Bi-Directional NAT
# 1:1 mapping both directions
set rulebase nat rules bidir-server from any to any source 10.1.1.100 destination any bi-directional yes source-translation static-ip translated-address 203.0.113.100Session Details Explained
show session id <id>Session ID: 12345
c2s: 10.1.1.5[54321] -> 203.0.113.50[443]
nat: 10.1.1.5[54321] -> 10.1.1.100[443] ← DNAT applied
s2c: 10.1.1.100[443] -> 10.1.1.5[54321]
nat: 203.0.113.50[443] -> 10.1.1.5[54321] ← Reverse NAT
Fields:
c2s: Client-to-server flow (original)s2c: Server-to-client flow (response)nat: Translated addresses/ports