topic Re: configuration of the NAT rules to DMZ zone in General Topics

configuration of the NAT rules to DMZ zone

RCHAIBI — Tue, 20 Oct 2015 21:22:44 GMT

Hello,

In our office we have two servers in a DMZ zone (10.10.10.3 and 10.10.10.4). In the PA-500 I created a DMZ zone that's related to a vlan in the switch . This switch i related to the serves (10.10.10.3 and 10.10.10.4).

The servers are in DMZ zone so I configure the NAT rules with static NAT and I open the necessary ports. But without any results. I think that I shoudn't configure a destinaion NAT in this cas becous the servers ar in DMZ zone and ot in a LAN zone.

You wil find in the attchment the screenshot about the existing configuration of PAN.

I will be appreciated for all helps !

Thank you very much 🙂

Re: configuration of the NAT rules to DMZ zone

Raido_Rattameister — Tue, 20 Oct 2015 21:57:09 GMT

Move first rule to bottom.

Are other rules bi-directional?

Re: configuration of the NAT rules to DMZ zone

Raido_Rattameister — Tue, 20 Oct 2015 22:01:27 GMT

Also try to get one rule working first.

You try to map multiple ports to single port (all wan side ports are 25 but internal ones are diferent).

Re: configuration of the NAT rules to DMZ zone

OtakarKlier — Tue, 20 Oct 2015 22:57:02 GMT

Without more of the rulesset, I would assume you probably need a U-Turn rule.

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965

This will allow the traffic to get to the proper server. It's a NAT and a Security Policy combo.

Hope this helps.

Re: configuration of the NAT rules to DMZ zone

pulukas — Wed, 21 Oct 2015 10:32:39 GMT

You cannot map the same ip/port (25) to three different internal ip/port combinations.

Static NAT is a one-to-one bidirectional NAT so there can only be one external ip/port to one internal ip/port.

What is the situation here, are you looking for inbound NAT rules to expose multiple DMZ servers for SMTP?

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Thu, 22 Oct 2015 11:34:04 GMT

Hello,

I'm sorry i do a mistake when i wrote the table of the NAT rules. You will find in the attachement the right screen shot . The static NAT that i used is a bidirectional NAT. I add also a security rules to access to the email server (10.10.10.2) . The problem that i can send an email but i can't receive any email. I think that i do a mistake in the security rules. Could you please help me to determinate the mistake in my configuration.

Thank you very much for all helps

Re: configuration of the NAT rules to DMZ zone

reaper — Thu, 22 Oct 2015 11:48:03 GMT

Your WAN to DMZ security policy should read:

srcZN:WAN srcADR:any dstZN:DMZ dstADR:193.200.1.25

for a security policy the IP addressing are preNAT, zones are postNAT

regards

Tom

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Fri, 23 Oct 2015 12:52:30 GMT

Thank you very moch @reaper . It work fine now after this modification 🙂

Thank you for all helps

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Fri, 23 Oct 2015 12:55:29 GMT

I found a problem with the 443 port . I add a NAT rule like shooing in the screen shoot to the 443 port and i add a security rules from outside to dmz ( with public ip address and the port443)

But without any result this port still always closed

Thanks for all helps

Re: configuration of the NAT rules to DMZ zone

reaper — Fri, 23 Oct 2015 13:17:23 GMT

the NAT for port 25 is going to 10.10.10.2 while 443 is going to 10.10.10.3, did you make sure port 443 is accessible on that server and the nat/security rules are identical except for the ports and the server ip?

regards

Tom

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Fri, 23 Oct 2015 13:33:27 GMT

The port 443 is open in the server 10.10.10.3 and i do the same security rules but always thsi port is used by the PAN , should i change the default management port of the PAN like presented in this article https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Port/ta-p/62333 ??

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Fri, 23 Oct 2015 13:43:14 GMT

Yes ,the port 443 is open in the server 10.10.10.3 and I do the same configuration that i did it to open the 25 port in the server 10.10.10.2. when i activate the https on the outside port . This port is change to open but to the interface of the configuration of the PAN.

Should i change the default ports used by the PAN like show this article ??

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Port/ta-p/62333

Re: configuration of the NAT rules to DMZ zone

reaper — Fri, 23 Oct 2015 13:57:12 GMT

if you have a management profile configured on the interface with ssl enabled, you would be redirected to the GUI, but if there's no management profile or ssl has not been enabled you don't need to implement that article.

are you seeing anything in the logs?

you should be able to figure out what is going on by trying this cli command:

> show session all filter destination 193.200.1.25 destination-port 443

and then get the full view for the session

> show session id <id>

this will show you if NAT is being applied properly and which security/nat rules you are hitting:

Session              23

        c2s flow:
                source:      10.10.10.15 [trust]
                dst:         198.51.100.2
                proto:       17
                sport:       35040           dport:      22
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown


        s2c flow:
                source:      198.51.100.2[untrust]
                dst:         198.51.100.22
                proto:       17
                sport:       22            dport:      35040
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

       start time                           : Tue Oct 20 13:49:57 2015
        timeout                              : 3600 sec
        time to live                         : 3592 sec 
        total byte count(c2s)                : 13026788
        total byte count(s2c)                : 12878618
        layer7 packet count(c2s)             : 84918
        layer7 packet count(s2c)             : 84943
        vsys                                 : vsys1
        application                          : ssh  
        rule                                 : securityrule_1
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        address/port translation             : source
        nat-rule                             : nat_rule(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : any
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/2
        egress interface                     : ethernet1/1
        session QoS rule                     : N/A (class 4)
        end-reason                           : unknown

Re: configuration of the NAT rules to DMZ zone

RCHAIBI — Fri, 23 Oct 2015 14:48:32 GMT

It's OK @reaper , it's a problem with the access list thank you very much 🙂