topic Re: Multiple NAT or UTurn NAT rules in General Topics

Multiple NAT or UTurn NAT rules

synapse — Sun, 03 Apr 2011 19:00:13 GMT

We are hoping that someone can suggest a simpler way to resolve the issue of allowing internal hosts (in the Trust zone) to access servers sitting on the Trust zone via their external IP address (what PAN calls a UTurn or Hairpin rule). We have nearly 70 Static IP NAT rules, most of which are bidirectional, and are not looking forward to defining a second NAT rule fo each.

One might assume that given the fact that bidirectional Static IP NAT rules have already been defined that it would (should) be possible to create one NAT rule that instructs the appliance to apply source NAT translation from any host in the Trust zone that hits the external static NAT address.

Suggestions please!

Thanks,

Stuart Brainerd

Re: Multiple NAT or UTurn NAT rules

reaper — Tue, 05 Apr 2011 16:56:47 GMT

Hi Stuart

if you have that many hosts sitting on the inside of the network, it might be interesting to consider having internal DNS records pointing your LAN hosts to an internal IP's for the servers.

the existing rules set up for your static nat are geared differently (no source translation for inbound connections, which is required for u-turn and different zones etc) so unfortunately there's probably no clean way to do that using NAT rules

regards

Tom

Re: Multiple NAT or UTurn NAT rules

kbrazil — Tue, 05 Apr 2011 17:48:59 GMT

Hi Stuart,

It might be possible to consolidate rules if your public and private addresses match up contiguously. Then you can create a single dst-nat rule for the entire subnet and match that up with a single UTurn NAT rule for the subnet.

e.g.

1.1.1.1 --> 10.5.5.1

1.1.1.2 --> 10.5.5.2

1.1.1.3 --> 10.5.5.3

1.1.1.4 --> 10.5.5.4

etc...

Cheers,

Kelly