NAT Troubleshooting

paloalto nat troubleshooting networking


NAT Processing Order

1. Destination NAT (on ingress)
2. Security Policy lookup (post-DNAT addresses)
3. Source NAT (on egress)

Key Point: Security policy sees post-DNAT destination but pre-SNAT source.


NAT Types

TypeUse CaseDirection
Source NATHide internal IPs, outbound internetOutbound
Destination NATExpose internal servers, port forwardingInbound
U-Turn NATHairpin, internal to internal via public IPInternal
Bi-DirectionalStatic 1:1 mapping both directionsBoth

CLI Commands

View NAT Rules

# Show NAT policy (configured)
show running nat-policy
 
# Show NAT rules by type
show running nat-policy type source-nat
show running nat-policy type destination-nat
 
# Show specific rule
show running nat-policy rule <rule-name>

View NAT Rule Hit Counts

# All NAT rules
show rule-hit-count vsys <vsys> nat rules all
 
# Specific rule
show rule-hit-count vsys <vsys> nat rules <rule-name>

View Active NAT Sessions

# All NAT sessions
show session all filter nat any
 
# Source NAT sessions
show session all filter nat source
 
# Destination NAT sessions
show session all filter nat destination
 
# Sessions for specific translated IP
show session all filter destination-nat-ip <IP>
show session all filter source-nat-ip <IP>

Check NAT Pool Utilization

# Show dynamic IP pool usage
show running ippool
 
# Show specific pool
show running resource-pool <pool-name>
 
# Dynamic IP and Port (DIPP) stats
show counter global filter delta yes | match dipp

Troubleshooting Workflow

Step 1: Verify NAT Rule Match

# Check if NAT rule is hit
show rule-hit-count vsys vsys1 nat rules all

If hit count is 0:

  • Check zone matching (source-zone, destination-zone)
  • Check address matching (original packet addresses)
  • Check service matching (original destination port)

Step 2: Verify Session Creation

# Find session for traffic
show session all filter source <src-ip> destination <dst-ip>
 
# Check session details
show session id <session-id>

Look for:

  • nat-source - Source translation applied
  • nat-dst - Destination translation applied
  • nat-sport - Translated source port
  • nat-dport - Translated destination port

Step 3: Check Counter for Errors

# NAT-related counters
show counter global filter category nat severity drop
 
# All NAT counters
show counter global filter delta yes | match nat

Common error counters:

CounterMeaning
nat_norouteNo route to translated destination
nat_alloc_failIP/port allocation failed
nat_resource_unavailNAT resources exhausted
nat_bidir_conflictBi-directional NAT conflict

Common Issues

Issue: Source NAT Not Applied

Symptoms: Sessions show no nat-source

Check:

# Verify source NAT rule
show running nat-policy type source-nat
 
# Check rule order (first match wins)
show running nat-policy

Common causes:

  • Rule not matching (zone, address, service)
  • Another rule matching first
  • No-NAT rule matching

Issue: Destination NAT Not Working

Symptoms: Inbound connections fail, no sessions

Check:

# Verify DNAT rule
show running nat-policy type destination-nat
 
# Check security policy (uses post-DNAT destination)
show running security-policy from <zone> to <zone>

Common causes:

  • Security policy uses pre-DNAT address (should be post-DNAT)
  • Missing return route for translated traffic
  • DNAT rule not matching service (port)

Issue: NAT Pool Exhausted

Symptoms: New connections fail, nat_alloc_fail counter increasing

Check:

# Check pool usage
show running ippool
 
# Check DIPP oversubscription
show counter global filter delta yes | match dipp

Solutions:

  • Add more IPs to NAT pool
  • Use larger port range
  • Enable port oversubscription
  • Reduce session timeouts

Issue: Hairpin/U-Turn NAT Not Working

Scenario: Internal client → Public IP → Internal server (same firewall)

Requirements:

  1. Destination NAT rule: public-ip → internal-server-ip
  2. Source NAT rule: client-ip → firewall-interface-ip (for return traffic)
  3. Security rule: Allow internal-zone → internal-zone
┌─────────┐      ┌──────────┐      ┌────────────┐
│ Client  │ ───> │ Firewall │ ───> │ Server     │
│ 10.1.1.5│      │          │      │ 10.1.1.100 │
└─────────┘      └──────────┘      └────────────┘
     │                                   ▲
     └───────── 203.0.113.50 ───────────┘
                  (Public IP)

NAT Rules needed:

  • DNAT: dst 203.0.113.50 → 10.1.1.100
  • SNAT: src 10.1.1.0/24 → egress-interface (for return path)

Issue: Asymmetric Routing

Symptoms: Sessions time out, TCP RSTs

Check:

show session all filter source <ip> state discard
show counter global filter delta yes | match flow_tcp

Solutions:

  • Enable asymmetric path support (if appropriate)
  • Fix routing to ensure symmetric paths
  • Configure zone protection for asymmetric traffic

NAT Rule Examples

Outbound SNAT (Internet Access)

# Hide internal behind interface IP
set rulebase nat rules outbound-snat from trust to untrust source any destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1

Inbound DNAT (Port Forwarding)

# Forward HTTPS to internal server
set rulebase nat rules inbound-https from untrust to untrust source any destination <public-ip> service service-https destination-translation translated-address 10.1.1.100 translated-port 443

Static Bi-Directional NAT

# 1:1 mapping both directions
set rulebase nat rules bidir-server from any to any source 10.1.1.100 destination any bi-directional yes source-translation static-ip translated-address 203.0.113.100

Session Details Explained

show session id <id>
Session ID: 12345
        c2s: 10.1.1.5[54321] -> 203.0.113.50[443]
        nat: 10.1.1.5[54321] -> 10.1.1.100[443]  ← DNAT applied

        s2c: 10.1.1.100[443] -> 10.1.1.5[54321]
        nat: 203.0.113.50[443] -> 10.1.1.5[54321]  ← Reverse NAT

Fields:

  • c2s: Client-to-server flow (original)
  • s2c: Server-to-client flow (response)
  • nat: Translated addresses/ports