topic Re: we need a static fro one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source in General Topics

We need a static Nat from one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

cosmith8000 — Tue, 24 May 2022 21:00:16 GMT

We need to create a Policy to allow traffic in from a partner that needs to monitor Our Servers.

Outside IP will be one say xx.xx.xx.5 they need to hit 10 diffrent servers on the inside of our network 192.168.1.101-110

THey want to send traffic to 21001 - 21002 and have it changed to 5666 on the inside. i have tried about everythign I can think of.

so outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21001 We translate that to 192.168.1.101 port 5666

outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21002 We translate that to 192.168.1.102 port 5666

outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21003 We translate that to 192.168.1.103 port 5666

outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21004 We translate that to 192.168.1.104 port 5666

Can someone point me in the right direction.

Re: we need a static fro one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

Adrian_Jensen — Tue, 24 May 2022 18:10:27 GMT

I haven't done exactly this, but I would suspect it would be something like:

Create custom destination service port objects for non-standard ports:

Objects -> Services -> Add

Monitor_TCP5666 - protocol=TCP, dst_port=5666

Monitor_TCP21001 - protocol=TCP, dst_port=21001

Monitor_TCP21002 - protocol=TCP, dst_port=21002

...

Create your NAT rules:

Policies -> NAT -> Add

Vendor_Monitor_1 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21001,

src_addr=192.0.2.5, dst_addr=198.51.100.88,

dst_tranlation=staticIP, translated_addr=192.168.1.101 translated_port=5666

Vendor_Monitor_2 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21002,

src_addr=192.0.2.5, dst_addr=198.51.100.88,

dst_tranlation=staticIP, translated_addr=192.168.1.102 translated_port=5666

...

Create your Security rules:

Policies -> Security -> Add

Remote_Vendor_Monitoring - src_zone=Untrust, src_addr=192.0.2.5,

dst_zone=DMZ, dst_addr=192.168.1.101,192.168.1.102,...,

service=Monitor_TCP5666, action=allow

Re: we need a static fro one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

cosmith8000 — Tue, 24 May 2022 18:47:26 GMT

Thanks so much for the Reply.

This is almost exactly what I have and it does not wqork at all.

The only diffrence is the DST ZONE is Inside not DMZ

I dont even see any traffic hit the Nat policy.

Re: we need a static fro one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

OtakarKlier — Tue, 24 May 2022 19:30:13 GMT

Hello,

The vendor will need to use different ports for the different internal servers, otherwise the PAN doesnt know where to send the traffic to. Try the following:

Uni-directional policy https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

Regards,

Re: we need a static fro one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

Adrian_Jensen — Tue, 24 May 2022 20:12:25 GMT

If you run a Test Policy Match from the NAT Policy page, does it show that it matches the NAT rule? The NAT policy rule should be src and dst zone for the public interface. Security policy rule should shoud src zone for the public, dst zone for your internal.

Re: We need a static Nat from one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

cosmith8000 — Tue, 24 May 2022 21:01:46 GMT

I finally got it to work. The Nat rule was correct, but on the Security policy I was allowing the Destinaltion IP to go to the externall IP.

I changed it to the inside IP and it worked. that does not match other Nat policies I have working..

Re: We need a static Nat from one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

TomYoung — Tue, 24 May 2022 21:01:44 GMT

Hi @Adrian_Jensen ,

The PANW NGFW can easily do that. Here is an excellent video -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW. It also has a bonus video on the relationship between the NAT and security policies. For the security policy, "pre-NAT IP address and post-NAT everything else." The reason for that rule is that the security policy is checked before NAT is implemented, but after the NAT lookup of the destination zone is done. (NAT is performed on egress.)

Thanks,

Tom