https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40436#M29689 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">or i would need to create other rule from untrust to trust permitting SSH??? </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Wed, 24 Jul 2013 09:13:43 GMT soporteseguridad 2013-07-24T09:13:43Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40435#M29688 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">If there is a security policy applied from just "untrust to trust" permitting SSH traffic .. this rule will be bidirectional??? or i would need to create other rule from trus to trust permitting SSH??? </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Its the same with NAT rules???<BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">thanks</SPAN></P></BODY></HTML> Wed, 24 Jul 2013 09:08:22 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40435#M29688 soporteseguridad 2013-07-24T09:08:22Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40436#M29689 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">or i would need to create other rule from untrust to trust permitting SSH??? </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Wed, 24 Jul 2013 09:13:43 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40436#M29689 soporteseguridad 2013-07-24T09:13:43Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40437#M29690 <HTML><HEAD></HEAD><BODY><P>Good Morning,</P><P>From what I understand, you wanna&nbsp; create a security rule from Untrust to Trust, so that people from the internet can access a server that is behind the firewall on the trust zone. If the users from the internet initiate a new ssh session to the firewall, then the firewall receives a SYN packet from the untrust to the trust zone. We need not write a new policy for the SYN-ACK from the trust to untrust to go out, and the firewall will match any the server to client traffic on ssh to the same "untrust to trust" rule that you created. So it depends upon who is initiating the session. If someone is initiating a new ssh connection from the trust zone, we would then require a policy from "trust to untrust" allowing ssh.</P><P></P><P>Bear in mind that when we have an inbound connection from the internet ( untrust to trust), the NAT rules are written slightly differently, and you may wanna refer to the destination NAT configuration as mentioned under page 15 of&nbsp; the NAT tech note, </P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Wed, 24 Jul 2013 13:43:35 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40437#M29690 kprakash 2013-07-24T13:43:35Z https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40438#M29691 <HTML><HEAD></HEAD><BODY><P>first scenario</P><P>when</P><P>a client have to established session on a server with a source NAT to the aim of masking&nbsp; the ip of the client or for routing purpose. you just need a static NAT without bidirectionnal option.</P><P></P><P>second scenario</P><P>if you create a static nat with the bidirectional option&nbsp; and with a destination address declared.</P><P>you have the same behaviour, but its like you create another nat rule but a destination nat rule that allow the server to initiate a connection on your client of the first scenario</P><P></P><P>that make sens? </P></BODY></HTML> Wed, 24 Jul 2013 16:08:51 GMT https://live.paloaltonetworks.com/t5/general-topics/policies-security-and-nat-are-bidireccional/m-p/40438#M29691 Gregoux 2013-07-24T16:08:51Z