topic Re: NAT rule in Next-Generation Firewall Discussions

NAT rule

jeromecarrier — Fri, 28 Oct 2022 12:20:00 GMT

Hello

I have a problem. I have a firewall Palo Alto. Eth1 (20.74.34.3) is configured on public zone and eht1/2 is configured in the internal zone (10.110.0.4). Inside the internal network, I have a dmz subnet 10.111.0.0/24 where I have 2 web servers for application (app1 10.111.0.10 and app2 10.111.0.11)

How I can configure the NAT rule to access these web server from computers connected on Internet ?

Regards

Re: NAT rule

murali438 — Tue, 01 Nov 2022 07:35:04 GMT

You can either use bidirectional NAT or create two NAT rules for this.

Bi-Directional NAT:
++++++++++++++++++++

Source Zone : DMZ
Dest Zone : INTERNET
Source IP : 10.111.0.10
Source Translated IP : <SRV_PUBLIC_IP>
Bi-directional : Yes
Destination : Any

Limitations:
+++++++++++

1.This creates an automated NAT rule for the reverse flow with source Zone as "Any"
2.You can't use DNS Rewrite

Two NAT Rules
++++++++++++++

Source Zone : DMZ
Dest Zone : INTERNET
Source IP : 10.111.0.10
Source Translated IP : <SRV_PUBLIC_IP>
Bi-directional : No
Destination IP : Any
Destination Translated IP : None

Source Zone : INTERNET
Dest Zone : INTERNET
Source IP : Any
Source Translated IP : None
Bi-directional : No
Destination IP : <SRV_PUBLIC_IP>
Destination Translated IP : 10.111.0.10

Re: NAT rule

jeromecarrier — Tue, 01 Nov 2022 10:30:35 GMT

@murali438 wrote:

You can either use bidirectional NAT or create two NAT rules for this.

Bi-Directional NAT:
++++++++++++++++++++

Source Zone : DMZ
Dest Zone : INTERNET
Source IP : 10.111.0.10
Source Translated IP : <SRV_PUBLIC_IP>
Bi-directional : Yes
Destination : Any

Limitations:
+++++++++++

1.This creates an automated NAT rule for the reverse flow with source Zone as "Any"
2.You can't use DNS Rewrite

Two NAT Rules
++++++++++++++

Source Zone : DMZ
Dest Zone : INTERNET
Source IP : 10.111.0.10
Source Translated IP : <SRV_PUBLIC_IP>
Bi-directional : No
Destination IP : Any
Destination Translated IP : None

Source Zone : INTERNET
Dest Zone : INTERNET
Source IP : Any
Source Translated IP : None
Bi-directional : No
Destination IP : <SRV_PUBLIC_IP>
Destination Translated IP : 10.111.0.10

Hello,

Thank you. Is it possible to create the NAT rule based in the fqdn to be sûre, that the access to the internal application will only work and match if user uses https://application1.mycompany.com or htpps://application2.mycompany.com ? Because as I share the same IP public for each application (each application has the Palo Alto IP public, 20.74.34.3, as a reverse proxy), what's happening if users uses htpps://20.74.34.3 ?

Re: NAT rule

murali438 — Tue, 01 Nov 2022 10:58:48 GMT

Hello please check this

Solved: LIVEcommunity - NAT based on URL or FQDN - LIVEcommunity - 31709 (paloaltonetworks.com)

Re: NAT rule

jeromecarrier — Tue, 01 Nov 2022 11:04:41 GMT

To be sûre to understand, the PA must be able to resolve the fqdn with the public IP (application1.company.com=20.74.34.3) peut with the private IP (application1.company.com=10.111.0.4)?