MS-RDP NAT Issue

PurchasingMgr — Tue, 23 Oct 2012 17:15:57 GMT

I am trying to create a static destination NAT to enable RDP access on port 3389 for one of my internal servers, but no matter what I try, it just doesn't seem to work. I've read through several KB articles as well as https://live.paloaltonetworks.com/docs/DOC-1517 and I've set everything up as it seems it should be, yet no NAT session is ever created.

My policies:

NAT:

Policy 1:

Original Packet:

Source Zone: untrust

Destination Zone: untrust

Destination Interface: eth 1/1 (interface ip is 1.2.3.170/29)

Service: Any

Source Address: Any

Destination Address: 1.2.3.172

Translated Packet:

Source Address Translation: None

Destination Address Translation:

Translated Address: 172.16.200.11

Translated Port: <blank>

Policy 2:

Original Packet:

Source Zone: trust

Destination Zone: untrust

Destination Interface: any

Service: any

Source Address: 172.16.200.11

Destination Address: any

Translated Packet:

Source Address Translation:

Translation Type: Static IP

Translated Address: 1.2.3.172

Bi-directional: no (can't even find documentation on what this is, but I know it's supposed to be "no")

Destination Address Translation: None

Policy 3: Dynamic NAT policy that works properly.

Security:

Rule 1:

Source Zone: untrust

Source Address: any

User: any

Destination Zone: trust

Destination Address: 172.16.200.11

Application: Remote Desktop (Application group with ms-rdp and t.120, though I've also tried with "Any")

Service: Any

Action: Allow

Log: both start and end

The outbound NAT (Policy 2) portion works perfectly, and my internal server's source address is properly translated to the external address specified. The Inbound NAT, however, does not work at all. I don't see any security flows in the logs or anything else.

I know I'm probably missing something simple, I just can't seem to figure out what that is.

Thanks in advance for any assistance in why this doesn't seem to be working.

Re: MS-RDP NAT Issue

gswcowboy — Tue, 23 Oct 2012 17:19:36 GMT

Utilize the public ip address of the server (Destination Address: 172.16.200.11) in your security policy.

Re: MS-RDP NAT Issue

PurchasingMgr — Tue, 23 Oct 2012 17:23:17 GMT

It's a little illogical, but it seemed to work.

It's my understanding that security rules are executed after the NAT rule (hence why your destination zone is "trust"). Why would the destination address be the external address if it's supposed to have already been translated?

Re: MS-RDP NAT Issue

gswcowboy — Tue, 23 Oct 2012 17:46:00 GMT

Took time for me to get this down as well but essentially, 'The addresses in the security policy refer to the IP address in the original packet i.e. the pre translated address. However the destination zone is the zone where the end host is physically connected."

Re: MS-RDP NAT Issue

PurchasingMgr — Tue, 23 Oct 2012 18:27:26 GMT

Ahh, I see. That makes a bit more sense.

Thanks for the help.

topic Re: MS-RDP NAT Issue in General Topics

MS-RDP NAT Issue

Re: MS-RDP NAT Issue

Re: MS-RDP NAT Issue

Re: MS-RDP NAT Issue

Re: MS-RDP NAT Issue