https://live.paloaltonetworks.com/t5/general-topics/isolate-and-nat-a-segment-for-byod/m-p/26970#M19705 <HTML><HEAD></HEAD><BODY><P>I did this so that our Ipads could get from their zone into the trust zone for activesync.&nbsp; Seems to me that using an external DNS might make it more difficult for more than a couple of servers.&nbsp; You can probably take the below and substitute in some ranges (i.e. the translated address can be a range).&nbsp; Of source you will need some security rules as well. Hope this helps.</P><P>Bob</P><P></P><P>Nat rule:</P><P></P><P>Original packet:</P><P>source zone-ipad zone</P><P>dest zone-Untrust</P><P>dest address-a public IP of PA</P><P></P><P>Translated packet:</P><P>type:&nbsp; Dynamic IP and port</P><P>address type:&nbsp; Interface address</P><P>interface:&nbsp; ethernet1/1 (interface of untrust zone)</P><P>IP address:&nbsp; A public facing IP different than the one above</P><P>translated address:&nbsp; Internal address of exchange server</P></BODY></HTML> Tue, 06 Nov 2012 05:30:13 GMT BobW 2012-11-06T05:30:13Z https://live.paloaltonetworks.com/t5/general-topics/isolate-and-nat-a-segment-for-byod/m-p/26969#M19704 <HTML><HEAD></HEAD><BODY><P>I've tried setting up a subnet on our local network for wireless BYOD purposes and our aim is to have phones/pads connect only on this subnet (10.84.0.0/16). An ACL on our layer 3 core switch prevents this subnet from communicating with other 10.x.x.x segments directly, where our other users and servers are set up.</P><P></P><P>We want to apply our filtering rules to internet access (Time of Day, URL/content, AV etc) and also force them to access our hosts/content as if they were on the untrusted side of the firewall. (basically make them 'go outside, then come back in' through the firewall)</P><P></P><P>I've set up DHCP to give an external resolver for DNS lookup, and I've added a dynamic NAT address rule for that subnet with an address on the untrusted interface, hoping that the BYOD subnet will route out through our internet addresses and back in.</P><P></P><P>What I see in the logs is 'incomplete' traffic to the NATed destination address, from an unNATed source address. ( zones: trust-&gt; trust)</P><P></P><P>If I need to, I can set up another ethernet interface and zone, etc.</P><P></P><P>I'm wondering if there's a simple/elegant way to get this 'outside/inside' setup to work? (We're also running this HA - Active/Active so whatever gets implemented will need to live happily on 2 devices: 2x PA2050, PANOSv.4.1.7)</P><P></P><P>Thanks in advance.</P><P></P><P>Simon.</P></BODY></HTML> Mon, 05 Nov 2012 15:28:42 GMT https://live.paloaltonetworks.com/t5/general-topics/isolate-and-nat-a-segment-for-byod/m-p/26969#M19704 sspivey 2012-11-05T15:28:42Z https://live.paloaltonetworks.com/t5/general-topics/isolate-and-nat-a-segment-for-byod/m-p/26970#M19705 <HTML><HEAD></HEAD><BODY><P>I did this so that our Ipads could get from their zone into the trust zone for activesync.&nbsp; Seems to me that using an external DNS might make it more difficult for more than a couple of servers.&nbsp; You can probably take the below and substitute in some ranges (i.e. the translated address can be a range).&nbsp; Of source you will need some security rules as well. Hope this helps.</P><P>Bob</P><P></P><P>Nat rule:</P><P></P><P>Original packet:</P><P>source zone-ipad zone</P><P>dest zone-Untrust</P><P>dest address-a public IP of PA</P><P></P><P>Translated packet:</P><P>type:&nbsp; Dynamic IP and port</P><P>address type:&nbsp; Interface address</P><P>interface:&nbsp; ethernet1/1 (interface of untrust zone)</P><P>IP address:&nbsp; A public facing IP different than the one above</P><P>translated address:&nbsp; Internal address of exchange server</P></BODY></HTML> Tue, 06 Nov 2012 05:30:13 GMT https://live.paloaltonetworks.com/t5/general-topics/isolate-and-nat-a-segment-for-byod/m-p/26970#M19705 BobW 2012-11-06T05:30:13Z