topic Re: Static NAT with Port Translation in General Topics

Static NAT with Port Translation

Ammar — Tue, 20 Sep 2016 11:18:20 GMT

Dears,

I'm migrating some NAT rules from Cisco ASA to PAN Firewall. I don't know how to migrate a static NAT with Port Translation like the follwing example:

static (dmz,outside) tcp Public_IP 443 Private_IP 80 netmask 255.255.255.255

this static in ASA means the outside connection will be directed to the public IP and the port of 443 and ASA will divert the request to the private IP on port.

do you have any on how to do over PaloAlto

Re: Static NAT with Port Translation

TranceforLife — Tue, 20 Sep 2016 11:50:09 GMT

hello,

This guy helped me to understand NAT policy configuration with port translation:

https://www.youtube.com/watch?v=aVXzzZEgIA4

Thx,

Myky

Re: Static NAT with Port Translation

bmorris1 — Tue, 20 Sep 2016 11:53:10 GMT

Hi,

This would be a destination NAT, so you would configure a NAT rule that has an original packet source & destination zone of 'outside' , destination address of your public IP and the port the outside user is connecting to.

You would then configure in the translated packet part of the rule the destination side, put in the private IP & port that the traffic is to be translated to.

You can watch this video to help as well:

https://live.paloaltonetworks.com/t5/Videos/How-to-Configure-Destination-NAT-on-the-PAN-OS-UI/ta-p/57211

For the security rule, you will need to use the source zone of the pre-NAT zone, in this case 'outside' and the destination zone will be the post-NAT zone, DMZ.

hope this helps,

Ben

Re: Static NAT with Port Translation

DZoquier — Tue, 20 Sep 2016 13:55:57 GMT

Remember to create the Policy rule to allow the traffic that is being NATed. Your destination zone will be the DMZ, put your destination IP has to be the public IP. In your configuration, you may run into an ssl issue. The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

The above videos will make it clear as well.

Re: Static NAT with Port Translation

DZoquier — Tue, 20 Sep 2016 14:58:36 GMT

Remember to create the Policy rule to allow the traffic that is being NATed. Your destination zone will be the DMZ, but your destination IP has to be the public IP. In your configuration, you may run into an ssl issue. The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

The above videos will make it clear as well.

Re: Static NAT with Port Translation

myrdin — Wed, 21 Sep 2016 21:53:07 GMT

Nat Rule:

Source Zone: untrust

Dest Zone: untrust (same)

Dest int: none

Source address: any (you will filter by the security rule)

Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing

Translated Packet

Source Translation: None

Destination Translation:Private ip of the server

Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding,

Sec Policy:

Source Zone: untrust

Desintation Zone: trust (or the zone where the server being published sits)

Destination Address: THE PUBLIC IP assigned

Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)

Re: Static NAT with Port Translation

Ammar — Thu, 22 Sep 2016 15:07:38 GMT

Dears,

Thanks all for clarifying a soluton for such NAT scenario.

I think there sholuld be a document for different NAT scenarios to compare between ASA and PAN.

Thanks all.

Re: Static NAT with Port Translation

JasonSchroeder — Tue, 17 Oct 2023 17:23:08 GMT

I am attempting to do NAT and PAT from WAN IP:4432 to Internal via a WAN IP to Internal IP:443 address. My packets are getting caught in the interzone policy. can anyone shed some light on the issue?

NAT

Policy

drop

Re: Static NAT with Port Translation

JasonSchroeder — Wed, 18 Oct 2023 17:51:02 GMT

Palo Alto Engineer helped me find my error. It was when I created a custom service I put in source port instead of leaving it blank. When creating a service for NAT port translation, the source port needs to be blank:

Thank you Palo support!