topic Re: NAT Help - Reaching DMZ Server via NAT in General Topics

NAT Help - Reaching DMZ Server via NAT

jmeyer1 — Fri, 20 Sep 2013 16:40:09 GMT

Hi,

I'm having an issue setting up my DMZ test environment. My set up is basic and is as follows (IP information is an example) --

e1/1 - Internet (1.1.1.160/28 - ISP assigned)
e1/2 - Internal (10.10.10.0/24)
e1/3 - DMZ (10.10.100.0/24)
DMZ Web Server (Internal IP 10.10.100.10/24 with NAT rule for external IP mapping of 1.1.1.171)

I've set up a NAT policy as seen below --

I've set up the security policies as seen below --

Internally, I can ping 1.1.1.171 and access my web server via that IP, however when I try and attempt to access the IP from the internet (https), I'm unable to hit the server and I do not see traffic hitting the firewall. I've attempted to create a loopback to give the IP an endpoint as seen in a tutorial within this site, however that did not work either.

Does it appear that I am missing something or is my configuration incorrect? I'm sure I'm a step or two away from getting this to work, however have been trying almost everything I can think of with little to no avail. I would greatly appreciate any advice or help anyone can provide.

Thanks,

John

Re: NAT Help - Reaching DMZ Server via NAT

kadak — Fri, 20 Sep 2013 16:45:34 GMT

Hello John,

In your D-NAT rule:

Source Zone : TW Internet

Destination Zone should also be : TW Internet

Destination Address:1.1.1.71

Destination Translation should be : 10.10.100.10

Your security rule:

Source Zone : Tw Internet

Destination Zone : DMA zone where the server actually lies

Destination IP : 1.1.1.171

Let us know if it worked for you.

Regards,

Kunal Adak

Re: NAT Help - Reaching DMZ Server via NAT

kadak — Fri, 20 Sep 2013 16:47:32 GMT

You can also refer to page -16 of the following document. It explains you with an example of how DMZ servers are access from the outside.

https://live.paloaltonetworks.com/docs/DOC-1517

Regards,

Kunal Adak

Re: NAT Help - Reaching DMZ Server via NAT

jmeyer1 — Fri, 20 Sep 2013 17:33:24 GMT

Kunal,

Thanks for the prompt reply. In the midst of providing examples of my configuration I left out the 10.10.100.10 for the destination translation, but for the actual policy, it is there. In regards to the security policy, I tried adding the destination IP, although keeping the tab to "any" should of worked as well. Neither option worked. I appreciate the document you provided, I've referenced this particular document a few times on trying to troubleshoot this issue.

To add to my configuration information above, I have a route for 10.10.100.0/24 with the interface set to e1/3 and next hope value 10.10.100.5 (Gateway on the PA). I do not have a route for the public IP subnet however. Is this needed? Again, I'm not seeing any internet traffic hit the firewall for destination address 1.1.1.171.

Thanks,
John

Re: NAT Help - Reaching DMZ Server via NAT

kadak — Fri, 20 Sep 2013 19:48:03 GMT

Hello John:

The only route you require is on upstream router. The upstream router should know that if a packet comes in destined for 1.1.1.171, it should forward it to PAN's 1/1, since 1.1.1.171 comes under 1.1.1.160/28's umbrella.

I would look for any sessions/traffic logs on the PAN sourcing from that outside client hitting 1.1.1.171.

For example:

Server (10.10.100.10) ---- PAN ---- ISP----- PC (1.1.1.1)

> show session all filter source 1.1.1.1

If you don't see any sessions from 1.1.1.1, its very likely that there could be some routing issues on the ISP/upstream side.

Also, you can verify through your traffic logs. You can use the following filter : ( addr.src in 1.1.1.1 )

One thing I noticed now in your first comment is that you said - "Internally, I can ping 1.1.1.171"..... Does that mean even the local LAN subnets are accessing that web-server using public ip address? If that is the case, we are dealing with a U-Turn NAT situation here!

Regards,

Kunal Adak

Re: NAT Help - Reaching DMZ Server via NAT

Retired Member — Sat, 21 Sep 2013 18:39:03 GMT

you try to reach your webserver from inside ?

Try to use u-turn nat then

https://live.paloaltonetworks.com/docs/DOC-1678