topic Re: Configuring DNAT on PA-820 in General Topics

Configuring DNAT on PA-820

KGH0511 — Fri, 25 Aug 2023 13:38:55 GMT

Hi All.

I'm running into a bit of difficulty for setting up a DNAT configuration on my PA-820. Essentially what I want to do is remotely access an iMac workstation from outside the LAN. However, I don't want to advertise port 5900 I want to setup port translation from 2485 to 5900 to a particular host on the LAN.

I've created a DNAT rule as follows;

Original Packet;

Src Zone: Internet-Untrust

Dst Zone: Internet-Untrust

Dst Interface: Ethernet 1/7 (Interface with internet connection)

Service: Inbound VNC on port 2485 (a service I created)

Src Address: Any

Dst Address: Public IP of the the interface Ethernet 1/7 above

Translated Packet;

Translation type: Static IP

Translation Address: Address of internal PC that requires remote access

Translated Port: 5900 (VNC)

I then created a security policy rule as follows;

Src Zone: Internet-Untrust

Src Address: Any

Src User: Any

Src Device: Any

Dst Zone: Internal-Trust

Dst Address: Address of internal host require remote access

Application: Any

Service / URL Category: Inbound VNC on port 2485 (custom created service)

I've essentially been looking to do whats oulined in the below tutorial but the inverse

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW

I am unable to connect from an external device, using port 2485 for remote access. When I make remote access attempts from I am unable to connect to the host. I see hits on the security rule and when I look at the monitor selecting the iMac I want to access as the dst address, I can see the external source, the correct destination IP, port 2485, Application says incomplete, action is allow, and the reson for the session end is - tcp-rst-from-server. I'm seeing hits on the security rule but nothing on the NAT rule.

Any input would be much appreciated

Re: Configuring DNAT on PA-820

TomYoung — Fri, 25 Aug 2023 19:24:16 GMT

Hi @KGH0511 ,

It is strange that you are getting hits on your security policy rule. The destination IP address should be the public IP address (pre-NAT). The service should be 5900 (post-NAT). Please see this doc. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

You could also try changing the destination interface to any in your NAT rule.

Thanks,

Tom

Re: Configuring DNAT on PA-820

KGH0511 — Sat, 26 Aug 2023 14:53:01 GMT

Hi Tom,

I've seen that document and have followed it exactly, and the NATing doesn't work.

Yes, I agree it is strange that it's hitting the security rule but not the DNAT rule.

I've made some changes and I'm now hitting the DNAT rule, but not the security rule.

The DNAT Rule is;

Original Packet;

Src Zone: Internet-Untrust

Dst Zone: Internet-Untrust

Dst Interface: Ethernet 1/7 (Interface with internet connection)

Service: Inbound VNC on port 2485 (a service I created)

Src Address: Any

Dst Address: Public IP of the the interface Ethernet 1/7 above

Translated Packet;

Translation type: Static IP

Translation Address: Address of internal PC that requires remote access

Translated Port: 5900 (VNC)

Security Policy Rule is -

Src Zone: Internet-Untrust

Src Address: Any

Src User: Any

Src Device: Any

Dst Zone: Internal-Trust

Dst Address: Address of internal host requiring remote access

Application: VNC

Service / URL Category: Application Default

I can see I'm getting hits on the NAT rule now and no hits on the security rule, no traffic appears under the traffic monitor.

Re: Configuring DNAT on PA-820

TomYoung — Sat, 26 Aug 2023 15:01:35 GMT

Hi @KGH0511 ,

Good! This is progress. As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule. Please try making that change and let me know if it works.

With regard to no traffic logs, did you enable logging for the interzone-default rule? You will need to use the Override button.

Thanks,

Tom

Re: Configuring DNAT on PA-820

KGH0511 — Sat, 26 Aug 2023 15:34:54 GMT

As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule. Please try making that change and let me know if it works.

Thanks for the rapid reply. I entered the public IP from the NAT rule into the destination address in the security policy rule and no change. Still getting hits on the NAT rule, nothing on the security rule and the below info on the monitor when I filter for the dst address i.e. the PC that I want to remotely access.

From Zone - Internet Untrust

To Zone - Internal Trust

Source - Source IP address of remote location that I'm testing from - which is correct.

Destination - IP address of PC on the LAN that I want to remotely control correct IP.

To Port - 2485 (Should be port 5900 after the port translation has been applied)

Application - Not applicable

Source Country - Switzerland

Action - Deny

Rule - Interzone-default

Session end Reason - Policy deny.

It would seem that the security rule is not even being hit. This happened after I entered the IP address of my public facing interface into the destination filed in the security policy.

Re: Configuring DNAT on PA-820

KGH0511 — Sat, 26 Aug 2023 15:54:30 GMT

Re: Configuring DNAT on PA-820

TomYoung — Sat, 26 Aug 2023 18:23:10 GMT

Hi @KGH0511 ,

I am glad that we got it working on the Zoom call. In hindsight, I think the culprit was the VNC service object was incorrect. That is used in the NAT rule. Once we fixed it, then the NAT started working fine. You should be able to remove tcp/2485 from the security policy rule now.

Thanks,

Tom

Re: Configuring DNAT on PA-820

KGH0511 — Sun, 27 Aug 2023 10:11:26 GMT

Hi Tom,

Thanks for your time and your valuable input.

Yes, I agree most likely the VNC service object wasn't correct. Oddly enough when I remove the tcp/2485 from the security policy the rule doesn't work and the remote host is not accessible. If I remove 5900 and leave 2485 it works. It's almost the inverse of what one would expect it to be.

Re: Configuring DNAT on PA-820

TomYoung — Sun, 27 Aug 2023 18:13:44 GMT

Hi @KGH0511 ,

Thank you for the feedback. That is the opposite of what I saw in the documentation, also. It does make sense the a NAT lookup is done on ingress, but the NAT is applied on egress. The NAT lookup is why the destination zone in the security policy rule is toward the server.

Have a great day!

Tom