topic Re: U-Turn NAT with Port Address Translation in a DMZ in General Topics

U-Turn NAT with Port Address Translation in a DMZ

vazquezr1 — Fri, 07 Oct 2016 02:10:00 GMT

Hi Community,

I am configuring my first PA-200 and having a difficult time. I have a /27 external network and have the PA-200 seeing the internet properly. I have internet untrust zone setup as l3 on Int 1.1, and a DMZ setup as l3. The DMZ zone is on eth 1.2 interface and has a few servers plugged into an unmanaged gigabit belkin switch as depicted below. At this time, I am not planning to use the firewall with Trusted users or any of the other intefaces, just to serve up publically facing servers in the DMZ with specific ports. I have found several articles/config example suggesting that I use U-Turn Nat to make this happen properly but none that consider PAT as well along with layer2 traffic from the unmanaged switch. I was hoping someone could please provide some help. Thank you very much.

Re: U-Turn NAT with Port Address Translation in a DMZ

reaper — Fri, 07 Oct 2016 09:10:00 GMT

Hi @vazquezr1

you don't need u-turn nat to make this work (u-turn is used to reach internal servers, from the inside, on their external IP, you need regular inbound nat, with destination ports

as it happens, i wrote a little something about that : Getting Started: Network Address Translation

scroll down to 'Uni-directional policy', this should be the bit you need

hope this helps

Re: U-Turn NAT with Port Address Translation in a DMZ

vazquezr1 — Fri, 07 Oct 2016 15:06:50 GMT

Hi Reaper,

Appreciate the help and article. I had actually started with your suggested config originally since that is what I remember from the (3) day training. I still couldnt see the servers from the outside. I remember somewhere that someone had said you had to "tag" layer 2 traffic of it was not routed from a managed switch? Since all these servers are sitting on a dumb hub basically perhaps that is the problem? I am just using the "default" virtual router but perhaps that is not sufficient. Thank you.

Re: U-Turn NAT with Port Address Translation in a DMZ

reaper — Fri, 07 Oct 2016 15:22:56 GMT

are your interfaces _sub_ interfaces ? i'm assuming they're normal L3 interfaces, in which case you don't need tags

tags only come into play if you've got a managed switch connected to the firewall via a trunk interface (this causes the firewall to receive packets with the .1q header present, so you need to have tagged subinterfaces to diffeentiate between the vlan tags)

did you make sure to set the nat rule

from untrust to untrust, orig destination <external IP> destination translation <internal IP>

and then a security policy

from untrust to trust, destination <external IP> apps, ports, allow

are you seeing the sessions in your traffic log ? (if not, the external router may not be aware you're there and you may need to check arp settings on the router for example)

if you are, is the NAT represented as expected ?

you did set a default gateway on your servers pointing to your firewall's DMZ IP, and a 0.0.0.0/0 route in the firewall VirtualRouter, pointing to the external router, right ?

i got a whole bunch of articles that may be of interest 😉 Getting Started: The Series

Re: U-Turn NAT with Port Address Translation in a DMZ

vazquezr1 — Fri, 07 Oct 2016 15:27:39 GMT

Thanks Reaper! I originally had a VLAN and assigned it to the DMZ interface and it didnt work. I think I do have the servers and virtual router properly setup. Let me check these docs you sent over, delete the current config, and give it another go. Fingers crossed! Will advise shortly.