topic Re: port forwarding external to internal in General Topics

port forwarding external to internal

wolfgang_paul — Wed, 22 Feb 2012 12:25:16 GMT

Hi,

i just want to create a "easy" port forwarding rule from external (public ip), port 52516 to a internal server port 52516, but i can´t get it done on a PA-2050. it´s a web-service running on that internal server....

i´ve created a service/application for that tcp-port, i´v created a PBF-Rule and a port-based NAT rule, but it´s not working at all.

is there a guide/howto ?!?

regards

René

Re: port forwarding external to internal

gafrol — Wed, 22 Feb 2012 12:37:00 GMT

Hi Rene,

can you post a screenshot of your Security Rule and NAT Rule ? Usually a PBF rule is not required for this purpose.

Roland

Re: port forwarding external to internal

wolfgang_paul — Wed, 22 Feb 2012 13:37:59 GMT

here we go...see jpg attached!

Zone "Internet" = external, public ip-adress

Zone "Fritzbox" = internal. 192.168.178.0/24

Adress "Public-IP" = public ip

Adress "Alarmanlage" internal host 192.168.178.22

Service "alarm" = service tcp/52516

Application "alarm" = application tcp/52516

i think the nat-rule does´nt need to be explained. the security-rule is split into external an internal part. external means all traffic from internet to the external interface with the public ip for service "alarm", internal means all traffic in zone "fritzbox" for host-adress "Alarmanlage" and Application "alarm"....and "ping" just for testing

btw: the "fritzbox" as device is used as switch between pa-2050 and the "alarmanlage"...there´s no pptp-dialup! 🙂

Re: port forwarding external to internal

gafrol — Wed, 22 Feb 2012 13:59:15 GMT

Hello Wolfgang,

well I believe there are some errors in the NAT and the Security Rule:

For the NAT:

Source Zone: Internet , Destination Zone: Internet , Source Address: any , Destination Address: Public-IP , Service: alarm , Destination Translation: Alarmanlage

For the Security Policy (Alarmanlage extern):
Source Zone: Internet , Destination Zone: Fritzbox , Destination Address: Public-IP , Application: any , Service: alarm

Once this works you can test your custom "alarm" App in your sec. rule.

Hope this helps.

Re: port forwarding external to internal

disti_sarajevo — Fri, 06 Apr 2012 14:38:41 GMT

What kinf of translation should be set?

The above explained solution doesn't work in my scenarion.

Re: port forwarding external to internal

jseals — Fri, 06 Apr 2012 19:38:47 GMT

Please describe your scenario to us, so we can help you determine what type of NAT and security rules you'll need.

Re: port forwarding external to internal

mikand — Sat, 07 Apr 2012 08:06:20 GMT

wolfgang.paul already did that in the first post.

This is how I interpret what Wolfgang wants to do:

Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).

This is what you need to do to accomplish the above:

1) Setup a DNAT rule in Policies -> NAT:

Original packet:

srczone: Internet

dstzone: Internet

dstinterface: int1 (or wherever you have Internet connected)

srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)

dstadr: <internetip>

service: TCP52516

Translated packet:

srctrans: none

dsttrans: <dmzip>:52516

2) Setup a security rule that will allow the translated traffic:

If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):

srczone: Internet

dstzone: DMZ

srcadr: 0.0.0.0/0

dstadr: <dmzip>

appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)

service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").

action: allow (and log on session start as debug which later can be changed to just on session end)

Re: port forwarding external to internal

disti_sarajevo — Sat, 07 Apr 2012 12:16:56 GMT

Thank you mikand, your answer was exactly what I was looking for.

Re: port forwarding external to internal

BobW — Sun, 08 Apr 2012 03:00:17 GMT

I will be installing our new PA next week. It does seem there are some subtle, and not so subtle, differences between these units and other firewalls.

So why is the nat rule "Source Zone: Internet , Destination Zone: Internet"?

Is there a quick list of steps for publishing an internal server?

Thanks,

Bob

Re: port forwarding external to internal

mikand — Mon, 09 Apr 2012 15:46:00 GMT

As you see in the nat-rule there is a small header of "original packet" vs "translated packet".

The "original packet" is what the PA should look for, and "translated packet" is what to do when the packet is found.

The security rule then acts on the "translated packet" in this case.

You can check the PAN Packet Flow document for details on how the packets are being mangled in the dataplane: https://live.paloaltonetworks.com/docs/DOC-1628

Re: port forwarding external to internal

akhan — Tue, 10 Apr 2012 03:41:19 GMT

Hi Bob,

To answer your question of why "Source Zone: Internet , Destination Zone: Internet"? Such a NAT policy would be defined to allow traffic from your Internet Zone to a server on one of your Internal Zones. NAT policies are created with the pre-NAT IP addresses in mind. In other words, when configuring NAT rules, we think of how PAN sees the incoming packet before NAT is applied. Since the source IP will be a random public IP in most cases, PAN knows that public IP addresses are situated on the Internet Zone (because the default route would be pointing out the Internet Zone interface). Hence we select Internet as the source zone. For destination zone, when a packet comes in, the destination IP address would also be a public IP address. Hence we select Internet zone again as the destination zone keeping in mind that before NAT is applied, the destination IP address belongs to the Internet zone interface.

You can refer to the following document for how NAT is setup on PAN:

Example #2 illustrates to to configure NAT for an internal server. Again the point to remember when configuring NAT rules is: Consider where the pre-NAT ip-addresses are situated with respect to PAN.

Thanks,

Ahsan