topic Can't get NAT/Security rule to work with multiple ports in General Topics

Can't get NAT/Security rule to work with multiple ports

inSync-MarkValpreda — Wed, 26 Jun 2024 01:12:08 GMT

PA220 on PANOS 10.1.10-h5

Have an NVR that needs 6x ports accessible from the outside - 3 TCP and 3 UDP. I set up 6x new services and then put them into a service group called NVR Services.

Created a security rule 'Allow incoming to NVR' from untrust zone, any address, any user, any source device to the 'Camera' security zone, destination address of the outside static IP address as well as the internal IP address of the NVR. Application any (for now), and the rest just any, wide open. etc.

On the NAT rule

Original Packet tab
- Source zone: Untrust
- Destination zone: Untrust
- Destination interface: Any
- Service: NVR Services
- Source address: Any
- Destination address: Public IP
Translated Packet tab
- Source address translation: None
- Destination address translation
  - Translation type: Static
  - Translation type: Internal IP
  - Translated port: <blank>

On the security rule:

Source
- Zone: Untrust
- Rest: Any
Destination
- Zone: Cameras
- Address: Public IP and internal IP
- Device: Any
Application: Any
Service/URL: Any

I cannot connect when it is set as describe above. It will connect if I change NAT original packet, service to any.

It will also not connect if I leave the NAT service to any and change the security rule to have service/URL category as the 'NVR service group'

I don't know what I am missing so that only the 3x TCP and 3x UDP ports are allowed to this device.

Appreciate any insight on what I might be missing. Thanks!

Re: Can't get NAT/Security rule to work with multiple ports

JayGolf — Wed, 26 Jun 2024 04:38:11 GMT

Hi @inSync-MarkValpreda ,

Quick question, are the NVR services standard ports? With the translated port being <blank>

It doesn't look like you're forwarding a nonstandard port from the internet through your firewall down to your server located in the Security zone. If thats the case, you could just filter services via the 'Allow incoming to NVR' Security policy and keep your DNAT rule to any services.

Re: Can't get NAT/Security rule to work with multiple ports

inSync-MarkValpreda — Wed, 26 Jun 2024 15:27:40 GMT

I wound up finding my issue. I had both destination AND source ports defined in my service objects. Once I got rid of the source port, everything started working. Rookie mistake.