topic How to access Local ip from Public ip in General Topics

How to access Local ip from Public ip

pranavatpl — Fri, 13 Jul 2012 07:42:49 GMT

Hi All,

I have a application server in my network. now i want to make this applicable accessible from internet through Public ip (Live Ip).

i don't know what will be the steps for that. please help me.

Thanks in advance

Re: How to access Local ip from Public ip

mikand — Fri, 13 Jul 2012 07:49:20 GMT

You need to setup NAT (or DNAT, destination nat - meaning dstip will be changed so when clients on internet connect to your public ip at a specific port the PA device will alter the packet so its dstip will be changed to the localip and then forward the packet to the localip server).

Check out this document for more information:

Re: How to access Local ip from Public ip

pranavatpl — Wed, 18 Jul 2012 07:56:21 GMT

Thanks mikand!!!

it's done successfully. but if i want to map more than one application with different port to the single live ip. than what will be the steps for configuration.

i tried with service and ip but NAT policy , policy with first priority only works.

Re: How to access Local ip from Public ip

mikand — Wed, 18 Jul 2012 21:26:35 GMT

For original packet you setup what this particular NAT rule should trigger on.

So lets assume you have traffic from srczone:Internet towards your public ip and service:12345.

srczone:Internet

dstzone:Internet

srcip:any

dstip:<your public IP that the client will talk to>

service:TCP_12345

Translated packet will then look like:

translated address:<ip of the server in DMZ or where it now might be located>

translated port: just leave it blank (or manually fill in 12345)

Now the above is to change the ip header for matching packets.

You still need to setup a security rule before the packets are allowed to reach that server at DMZ:

srczone:Internet

dstzone:DMZ

srcip:any

dstip:<your public IP that the client will talk to>

service:TCP_12345

appid:smtp (or whatever appid is applicable in your case)

The above is to DNAT incoming traffic. If you want your server at DMZ to on its own initiate outbound traffic you need to setup similar SNAT.

The above, when dealing at service (port) level, is good when you have only a single or a few public addresses. So the same ip will forward to different servers in DMZ depending on which proto/port the client is addressing. So you just redo the above work and setup another DNAT rule for next service and another security rule to allow that service (along with appid if possible).

To make it easier you can setup a 1:1 DNAT (and SNAT at the same time) so that a particular public ip always matches with a particular DMZ ip.

This way you wont need to setup more NAT-rules (only one per server) and only have to setup security rules for each traffic flow (of course depending on how you setup these security rules but I would recommend you to be as narrow as possible when you setup allow-rules).