topic Re: Static Port Address Translation question in General Topics

Static Port Address Translation question

JohnSturk — Fri, 22 Sep 2023 18:41:59 GMT

This configuration issue seems like it should be very easy to figure, but I have not performed this in the past and I cannot seem to figure it out.

We will have multiple devices on the trusted network, and I need to NAT them all to a single Public IP address using a different port number for each private device. All devices will utilize port 443 internally, but I need to do the port translation on the firewall. The devices are not capable of changing the service port number for HTTPS or HTTP. I have tried configuration info I have found in the support documents, but everything I see is just changing the port, from say port 443 to 8080 on the firewall and the end device is configured to utilize port 8080 for HTTPS. The configuration screenshots below are the current NAT and Security Policy and this works as far as just plain NAT is concerned. I need to be able to translate a port number such as 8080 coming in on the untrusted side to port 443 on the trusted side. Any help is appreciated. Thank you

Re: Static Port Address Translation question

TomYoung — Fri, 22 Sep 2023 21:18:34 GMT

Hi @JohnSturk ,

You have done all the hard work! You only need the ports now. Here is a document that is a good start, but missing a couple of items.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example

The NAT example should have an object tcp-80 (or service-http) for the Original Packet Service. It is very important when you create service objects for NAT that you specify the destination only, and not the source. (Unless, of course, you are NATing source ports which is uncommon.)
I would not leave the security policy rule service to any. I would put it tcp-8080 or service-http in that example. I believe the service in the security policy rule is pre-NAT like the IP.

Thanks,

Tom

Re: Static Port Address Translation question

JohnSturk — Tue, 26 Sep 2023 15:09:27 GMT

Hi Tom,

Thank you so much for your help. I have the NAT/Port solution functioning properly now. I overlooked your advice on setting the Destination Port only in the service object. This was my issue as I had a dumb moment when I set it up. I fixated on the NAT rule being incorrect that I did not look at the Service Object after I created it. I have the proper port numbers in the NAT rule, along with the allowed service in the security rule as well as the source IP address of the vendor that will need to access the devices. Thank you again for your input.

Re: Static Port Address Translation question

TomYoung — Tue, 26 Sep 2023 17:00:19 GMT

You're welcome!

I have seen that many times with customers.

Re: Static Port Address Translation question

craig.paluszcyk — Fri, 17 Apr 2026 13:02:45 GMT

@JohnSturk I know this post is several years old, but could you post updated screenshots of your solution? I'm looking at the same setup and given that the device is named ALGO in your setup, I think I may be trying to accomplish the same thing you did. We're trying to allow vendor access to our various ALGO paging adapters using a single IP.

Thanks

Re: Static Port Address Translation question

JohnSturk — Fri, 17 Apr 2026 13:41:46 GMT

This is the service I created

NAT rule

Security rule

I hope this helps.

Re: Static Port Address Translation question

craig.paluszcyk — Fri, 17 Apr 2026 15:26:41 GMT

Thanks. You've at least confirmed that my rules are set up correctly. I thought maybe the ports I was trying to use were the problem, but even trying 8501 isn't working for me. If I remove the port on the translation and the service port, it works fine. With those in place, it doesn't work.