topic Re: Port Forwarding/NAT Issues in General Topics

Port Forwarding/NAT Issues

wallbert — Sat, 16 Apr 2022 20:56:20 GMT

I just set up my PA-200 and I'm trying to get my Plex server (on my LAN) to be accessible via WAN. I don't think I fully understand how NAT and security policies intertwine so I'm rather confused

I'm able to get LAN traffic outbound, but for one reason or another, I can't seem to get either my NAT or security policies correct to allow traffic in to my Plex server

I'm not sure what information to post, but I would appreciate some guidance on this

Re: Port Forwarding/NAT Issues

aleksandar.astardzhiev — Sun, 17 Apr 2022 07:05:43 GMT

Hi @wallbert

Creating rules and NAT for inbound traffic with Palo Alto FW can be confusing at the beginning, but everything will make sense once you understand the order of operations.

- PAN FW is dermining the destination zone using route lookup - it will check its routing table for the destination address and see which zone will be used to egress the traffic

- In general when packet hits PAN FW it will apply the following order

Evaluating the NAT policies - only check if NAT is required, but without applying it
Perform security rule lookup - will check if traffic is matching this traffic
Apply NAT if any and forward the traffic

Each policy lookup (nat and security) is performing route lookup - the NAT rules will try to find destination zone for the public IP address (before the NAT being applied). Because your public NAT address is part of the public network assigned to the FW outside interface (or it is part of additional public range routed to your FW, which does not existing in your network) route lookup will match the default toute - FW will associate the public NAT ip with your outside zone.

Security policy lookup will again perform route lookup, but it already know that destination NAT will be applied, so it will check how NATed (private address) will be routed and use that zone as destination. But since the NAT is not yet applied, packet is still using the public IP.

Re: Port Forwarding/NAT Issues

TomYoung — Sun, 17 Apr 2022 22:21:38 GMT

Hi @wallbert ,

Here is an article with NAT and security policy examples to show you how to do it.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

Thanks,

Tom

PS In the security policy, pre-NAT IP and post-NAT everything else.

Re: Port Forwarding/NAT Issues

wallbert — Wed, 20 Apr 2022 16:07:25 GMT

Thank you for the detailed explanation. I've found that my Palo doesn't support uPnP, which I require for my network for gaming, so I will end up using the Palo in a lab environment instead