topic Re: New to Palo Alto from Juniper SSG in General Topics

New to Palo Alto from Juniper SSG

GavinPalmer — Tue, 07 Oct 2014 13:29:10 GMT

I was wondering if someone could enlighten me on how to replicate the Mapped IP functionality from Juniper SSG to Palo Alto.

We have a number of services on our current Juniper SSG. The way we firewall these services is using MIP's on the Untrust Zone then the traffic passing from Untrust to Trust using standard juniper policies. I was playing around with the Palo Alto and it seems its as easy as setting up an address on the Untrust Zone and Trust Zone. Then allowing the traffic based on the App-ID. Can someone explain this to me please?

Apologies for the noob question. But gotta start somewhere eh?

Cheers

Re: New to Palo Alto from Juniper SSG

ssharma — Tue, 07 Oct 2014 14:13:12 GMT

Hi Gavin,

Yes, you will achieve this with both NAT and security policy. NAT policy will let you define the mapped ports and IP. That means if some-one comes for 1.1.1.1 on 443 translate it to 192.168.10.1 on 4443. Then on security policy you would say access to 1.1.1.1 is possible only with ssl application.

So if someone wants to access 1.1.1.1 anything other than ssl, it will be denied. NAT on PA device is little different and unconventional. You can follow following documents for further information :

Video Link : 1550

Video Link : 1438

Please note that destination NAT might be bit different as the zones are determined as per routing on pre-natted address. Hope this helps. Thank you

Re: New to Palo Alto from Juniper SSG

bat — Tue, 07 Oct 2014 16:00:14 GMT

GavinPalmer

Welcome to forums.

I might be wrong but I think in screen OS you specified the NAT in the security policy itself which was from Untrust to Trust if your server is located in Trust.

But in PaloAlto, you will be creating two policies one for NAT and the other for security policy and the tricky part being NAT policy will be from Untrust to Untrust with destination as public IP of your server. Also the security policy will be from Untrust to Trust with destination as public IP of your server.

Let us know if you face any issues.

Re: New to Palo Alto from Juniper SSG

pulukas — Sat, 11 Oct 2014 11:07:33 GMT

In ScreenOS on the SSG the MIP is a bidirectional static nat object mapping one ip address to another. In PanOS you use the "Static nat" option to achieve the same result in your nat rule.

What does the Bi-Directional NAT Feature Provide?

When creating the static nat rule write the rule from the perspective of your internal server going out to the external zone.

Understanding PAN-OS NAT

Re: New to Palo Alto from Juniper SSG

SDorsey — Mon, 13 Oct 2014 14:21:53 GMT

I believe Steven is correct.

Also, welcome to PANOS. I used to have to manage a couple SSGs back in the day. I found it to be painful.

Re: New to Palo Alto from Juniper SSG

GavinPalmer — Tue, 21 Oct 2014 14:47:49 GMT

Hi Steve,

Ok thats great. I have created the static NAT policy but now need to create a security policy for it. will the direction of the sec policy be Untrust to Trust or Untrust to Untrust? For example, to allow smtp to our exchange server, this comes in over a static public IP. So should the security policy read, Untrust <ANY> -> Trust <exchange_internal> or Untrust <ANY> -> Untrust <exchange_public_ip>

Thanks

Re: New to Palo Alto from Juniper SSG

hshah — Tue, 21 Oct 2014 14:50:31 GMT

Hi Gavin,

Security policy should be Untrust to Trust.

And unidirectional NAT should be Untrust to Untrust.

If its bi-directional NAT than, it should be Trust to untrust.

Regards,

Hardik Shah

Re: New to Palo Alto from Juniper SSG

GavinPalmer — Tue, 21 Oct 2014 15:02:17 GMT

I do have a bi-directional NAT setup for smtp. but how can the traffic be trust to untrust when smtp mail flow comes in from the untrust zone? I dont understand this.

Re: New to Palo Alto from Juniper SSG

dreputi — Tue, 21 Oct 2014 15:36:55 GMT

Hello Gavin,

If you create one Bi-directional NAT, PAN breaks the NAT rule into two which looks like this(Bidirectional from Trust to Untrust):

"Trust-Untrust-Bidirectional NAT" {

from trust-L3;

source 192.168.18.1;

to untrust-L3;

to-interface ;

destination any;

service any/any/any;

translate-to "src: 10.10.10.10 (static-ip) (pool idx: 5)";

terminal no;

}

"Trust-Untrust-Bidirectional NAT" {

from any;

source any;

to untrust-L3;

to-interface ;

destination 10.10.10.10;

service any/any/any;

translate-to "dst: 192.168.18.1";

terminal no;

}

This can be seen in the CLI command "show running nat-policy".

Regards,

Dileep

Re: New to Palo Alto from Juniper SSG

Ismail_Mohammed — Tue, 19 Mar 2019 12:32:01 GMT

Can you give an example for DIP NAT policy & security policy, MIP i undestand with your below comment. also DST with NAT & SEC policy