topic Re: Bi-Directional NAT using DMZ instead of Outside interface in General Topics https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-using-dmz-instead-of-outside-interface/m-p/14062#M10329 <HTML><HEAD></HEAD><BODY><P>So, I got access to a PAN FW that I could use for testing and answered my question.&nbsp; For anyone else who happens across the issue here's what I found.</P><P></P><P>You can't use the bi-direction button.&nbsp; You have to create separate NATs for the DNAT &amp; SNAT portions.</P><P></P><P>These are the NAT configs to be as close to bi-directional as possible.&nbsp; Outside IP is 2.2.2.2 and the inside server IP is 192.168.10.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Static</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (bi-drectional = no)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Translated&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Translated</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.2&nbsp;&nbsp;&nbsp;&nbsp; any</P><P></P><P>For the SNAT using a single IP NAT pool:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (dynamic IP &amp; port)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.0.1/24&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.3</P><P></P><P>The security policies listed above are correct.</P></BODY></HTML> Sat, 26 Apr 2014 14:19:22 GMT CafNetMatt 2014-04-26T14:19:22Z Bi-Directional NAT using DMZ instead of Outside interface https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-using-dmz-instead-of-outside-interface/m-p/14061#M10328 <HTML><HEAD></HEAD><BODY><P>The reason for this post is I'm collapsing 2 ASA that are configured one in front of the other into a single PANW firewall.&nbsp; The DMZ interface on the inside ASA is technically treated as the "outside" interface.&nbsp; All NAT is performed on this DMZ interface.&nbsp; After the collapse, the DMZ interface will still exist but a true Outside interface will not be there.&nbsp; NAT has to stay associated with the DMZ IP space because we only have a /30 for the Outside interface.</P><P></P><P>From reading the NAT Tech Note I think I understand this but wanted to run it by here just in case.</P><P></P><P>3 interfaces.&nbsp; Assume these are the zone names as well:</P><P>Inside&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.1/24</P><P>DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.1/24</P><P>Outside&nbsp;&nbsp;&nbsp; 1.1.1.1/30</P><P>Wireless&nbsp;&nbsp; 172.16.0.1/24</P><P></P><P>DMZ addresses are public IPs.</P><P>DMZ has servers assigned with IPs in this address space.&nbsp; The rest of the address space is used for bi-directional NAT.</P><P>Outside interface is the default route to the Internet.</P><P>Regular inside traffic going to the Internet is SNAT'ed via the Outside interface IP.</P><P>Wireless traffic going to the Internet uses a DMZ address for SNAT dynamic IP &amp; port.</P><P></P><P>Creating a bi-directional NAT with the NAT address of 2.2.2.2 for internal server IP 192.168.0.2 would be:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Static</P><P>Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (bi-drectional = yes)</P><P>Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp; DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2</P><P></P><P>For the Wireless subnet SNAT using 2.2.2.3, it would be:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (dynamic IP &amp; port)</P><P>Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.0.1/24&nbsp;&nbsp;&nbsp;&nbsp; DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.3</P><P></P><P>The Dst Zone would be DMZ because when the route lookup is performed, the closest route is the directly connected route for the DMZ interface.</P><P></P><P>The Security Policy allowing Internet traffic to reach the internal server would be:</P><P></P><P>Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; Dst IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2&nbsp;&nbsp;&nbsp;&nbsp; Allow</P><P>Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P><P></P><P>The security policy for the Wireless traffic would be:</P><P></P><P>Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; Dst IP&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>Wireless&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P><P></P><P>Am I understanding this correctly?</P><P></P><P>Thanks.</P><P></P><P>Message was edited by: Matt Ausmus Updated to add wireless SNAT dynamic IP and port</P></BODY></HTML> Fri, 18 Apr 2014 22:44:13 GMT https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-using-dmz-instead-of-outside-interface/m-p/14061#M10328 CafNetMatt 2014-04-18T22:44:13Z Re: Bi-Directional NAT using DMZ instead of Outside interface https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-using-dmz-instead-of-outside-interface/m-p/14062#M10329 <HTML><HEAD></HEAD><BODY><P>So, I got access to a PAN FW that I could use for testing and answered my question.&nbsp; For anyone else who happens across the issue here's what I found.</P><P></P><P>You can't use the bi-direction button.&nbsp; You have to create separate NATs for the DNAT &amp; SNAT portions.</P><P></P><P>These are the NAT configs to be as close to bi-directional as possible.&nbsp; Outside IP is 2.2.2.2 and the inside server IP is 192.168.10.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Static</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (bi-drectional = no)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Translated&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Translated</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp; Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DMZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.2&nbsp;&nbsp;&nbsp;&nbsp; any</P><P></P><P>For the SNAT using a single IP NAT pool:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Src Zone&nbsp;&nbsp;&nbsp;&nbsp; Src IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst Zone&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NAT IP (dynamic IP &amp; port)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.0.1/24&nbsp;&nbsp;&nbsp;&nbsp; Outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.2.2.3</P><P></P><P>The security policies listed above are correct.</P></BODY></HTML> Sat, 26 Apr 2014 14:19:22 GMT https://live.paloaltonetworks.com/t5/general-topics/bi-directional-nat-using-dmz-instead-of-outside-interface/m-p/14062#M10329 CafNetMatt 2014-04-26T14:19:22Z