topic Re: NAT question in General Topics

NAT question

jochristian — Fri, 25 Jun 2010 14:38:03 GMT

Hello,

I have migrated a configuration from an netscreen firewall.

On the netscreen on the outside interface (against the internet) there are two mip ip's configured,

one of the MIP ip's are on the same subnet as the ip on the main ip. But the other IP is on a different subnet.

Like this:

main public ip: 192.168.1.1/29

MIP ip one: 192.168.1.2

MIP ip two: 10.1.1.10

I had no problems making the correct configuration for NAT on the MIP one ip. Inbound to a mailserver.

But I am struggeling doing the configuration for MIP ip two. It does not work.

Do I need to add the MIP ip two as a loopback ip on the untrust zone or can I add it to the interface as a secondary ip? 10.1.1.10/32.

How do I make the nat configuration for the MAP two ip?

Can anyone help?

Jo Christian

Re: NAT question

kbrazil — Fri, 25 Jun 2010 19:11:50 GMT

Hi Jo,

The destination NAT IP does not need to be in the same subnet as the interface IP in our implementation for this to work. The PAN device will ARP for the address and all should work fine.

There are a couple ways to convert a ScreenOS MIP to PANOS NAT rules:

Create two separate NAT Rules: One destination NAT inbound with zones Untrust to Untrust. Then another source NAT outbound with zones Trust to Untrust

or
Create a single source NAT outbound with zones Trust to Untrust, then flag it as bidirectional (PANOS 3.1 and above)

Once you have your NAT rule(s) then make sure the Security Policy has correct rules allowing the traffic in using the original (pre-NAT) IPs.

Cheers,

Kelly

Re: NAT question

jochristian — Fri, 25 Jun 2010 22:24:30 GMT

Hello and thanks for your reply.

Yes this is what I did (your suggestion number 2) but when making the security policy my rule always get "tagged" as unused when hitting the "show unused" button. Is there some way to debug the reason for the rule being tagged as unused?

I don't have any other rules that should interfere with this one.

Jo Christian

Re: NAT question

kbrazil — Fri, 25 Jun 2010 23:03:43 GMT

Hi Jo,

Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue. To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped. Support can also help out with this.

Here is some quick information on how to check the counters and the debug flow basic:

Show Drop Counters

Set a filter to control what traffic is counted

debug dataplane packet-diag set filter match <criteria>

debug dataplane packet-diag set filter on

Show the drop counters (absolute or relative to last time command was run)

show counter global packet-filter yes | match drop

show counter global filter severity drop packet-filter yes delta yes

Debug Flow Basic

Set a filter to control what traffic is logged

debug dataplane packet-diag set filter match <criteria>

debug dataplane packet-diag set filter on

Enable debug logging

debug dataplane packet-diag set log feature flow basic

debug dataplane packet-diag clear log log

debug dataplane packet-diag set log on

View the debug log (tail or less)

less dp-log pan_packet_diag.log

tail dp-log pan_packet_diag.log

Hope that helps,

Kelly

Re: NAT question

jochristian — Mon, 28 Jun 2010 15:33:35 GMT

Hello,

Everything working now. Had to restart the DSL modem for the other subnet to work correctly.

Thank you for your help!

Jo Christian

Re: NAT question

tanbc3323 — Thu, 16 Sep 2010 07:04:23 GMT

Hi Guru,

My netscreen configuration for MIP mail server as follwing:

set interface "ethernet0/3" mip 210.24.x.x host 146.168.y.y netmask 255.255.255.255 vr "trust-vr"

set policy id 4 from "Internet" to "Trust" "Any" "MIP(210.24.x.x)" "Mail Services" permit log
set policy id 4

set route source 146.168.y.y/32 interface ethernet0/3 gateway 210.24.x.z

And i would like to convert the config from netscreen to PaloAlto, what configuration on the Palo Alto that i suppose to configure? It's that i suppose to do as following if base on the TechNote_UnderstandingNAT:

1) Internet Inbound to DMZ servers

2) DMZ servers outbound to internet

3) U-Turn in the same zone

Re: NAT question

blacksan — Thu, 16 Sep 2010 13:56:21 GMT

Here is the full package you can copy / paste for CLI then make modifications in the Web Console. I am not a fan on add App-ID when I do the migration but it is not that hard if you know the protocol. Since I don't know if "mail service" is only SMTP or the full array of mail protocols, I am including all services. I don't know if your NetScreen includes an Outbound rule for your mail server.

set service POP3-Service protocol tcp 110
set service SSL-POP3-Service protocol tcp 995
set service SMTP-Service protocol tcp 25
set service SSMTP-Service protocol tcp 465
set service IMAP-Service protocol tcp 143
set service IMAP4-SSL-Service protocol tcp 585
set service IMAPS-Service protocol tcp 993
set group service Mail-Services add POP3-Service
set group service Mail-Services add SSL-POP3-Service
set group service Mail-Services add SMTP-Service
set group service Mail-Services add SSMTP-Service
set group service Mail-Services add IMAP-Service
set group service Mail-Services add IMAP4-SSL-Service
set group service Mail-Services add IMAPS-Service
set address "Mail-NAT" ip-netmask 210.24.x.x
set address "Mail-Real" ip-netmask 146.168.y.y
set rulebase security rules "Inbound Mail" from Untrust to Trust
set rulebase security rules "Inbound Mail" source Any
set rulebase security rules "Inbound Mail" destination Mail-NAT
set rulebase security rules "Inbound Mail" destination Mail-Real - I only add this for troubleshooting because sometimes I have to add multiple source zones.
set rulebase security rules "Inbound Mail" service Mail-Services
set rulebase security rules "Inbound Mail" action allow
set rulebase security rules "Inbound Mail" log-end yes
set rulebase security rules "Inbound Mail" profile-setting group Security_Profile_AV_AS_VA
set rulebase security rules "Inbound Mail" application any
set rulebase nat rules "Inbound Mail NAT" from Untrust to Untrust
set rulebase nat rules "Inbound Mail NAT" source any
set rulebase nat rules "Inbound Mail NAT" destination Mail-NAT
set rulebase nat rules "Inbound Mail NAT" service any
set rulebase nat rules "Inbound Mail NAT" destination-translation translated-address 146.168.y.y
set rulebase nat rules "Outbound Mail NAT" from Trust to Untrust
set rulebase nat rules "Outbound Mail NAT" source Mail-Real
set rulebase nat rules "Outbound Mail NAT" destination any
set rulebase nat rules "Outbound Mail NAT" service any
set rulebase nat rules "Outbound Mail NAT" source-translation static-ip translated-address 210.24.x.x

Re: NAT question

tanbc3323 — Mon, 20 Sep 2010 06:38:20 GMT

Hi Blacksan,

Appreciated & Thank you very much for your NAT & Security policy that convert from netscreen to PaloAlto. It's really help me a lot.

Btw, how about the source routing that applied in netscreen? as below:

set route source 146.168.y.y/32 interface ethernet0/3 gateway 210.24.x.z

Re: NAT question

migration — Mon, 20 Sep 2010 08:47:11 GMT

Hi tanbc3323,

I think PBF could help you, something like this:

set rulebase pbf rules rule1 source 146.168.y.y/32

set rulebase pbf rules rule1 destination any

set rulebase pbf rules rule1 service any

set rulebase pbf rules rule1 action forward egress-interface

ethernet0/3

set rulebase pbf rules rule1 action forward nexthop ip-address

210.24.x.z

Re: NAT question

blacksan — Mon, 20 Sep 2010 13:44:07 GMT

make sure you are running PA 3.1+ to see the Policy Base Forwarding. (PBF) which is a simply version of Policy Base Routing (PBR).