topic Re: Destination NAT translation is not working os .5.0.10 in General Topics

Destination NAT translation is not working os .5.0.10

Satish — Fri, 09 Jan 2015 11:15:13 GMT

Hi Friends,

PAN OS 5.0.10 is running. i have create a destination NAT translation but is not working and also i am not getting any logs. please suggest.

Regards

Satish

Re: Destination NAT translation is not working os .5.0.10

Wenar — Fri, 09 Jan 2015 11:34:06 GMT

Do you have a security policy for this traffic with activated logging?

Re: Destination NAT translation is not working os .5.0.10

Satish — Fri, 09 Jan 2015 11:38:48 GMT

Hi Wenar,

Yes, I have already a security policy for that.

Regards

Satish

Re: Destination NAT translation is not working os .5.0.10

Wenar — Fri, 09 Jan 2015 13:24:36 GMT

Can you post a screenshot of the security policy? Keep in mind that your security policy has to look like this:

Source:Any

Source Zone: Any (or Untrust)

Destination: Public IP

Destination Zone: Zone for Private IP

You should see the traffic in the traffic log.

Re: Destination NAT translation is not working os .5.0.10

rborda — Fri, 09 Jan 2015 16:40:08 GMT

Hi Satish,

Verify your Security Policy and NAT policy look like what you see below. Make sure that Destination address for your NAT and Security Policy is your Public IP.

Also, for your NAT policy use Source Zone: Untrust, Destination Zone: Untrust. Use only Private IP in your Translated Destination Address.

Security Policy

Nat policy

Regards

Re: Destination NAT translation is not working os .5.0.10

bat — Fri, 09 Jan 2015 20:55:09 GMT

Satish

Could you confirm if the traffic for that IP address is even reaching the firewall ? Try configuring packet capture and see if the packet is reaching the firewall, if it's not then it should be a simple ARP or routing issue.

Hope it helps !

Re: Destination NAT translation is not working os .5.0.10

oklier — Fri, 09 Jan 2015 22:13:17 GMT

Hurricane electric has a helpful public looking glass utility: Looking Glass - Hurricane Electric (AS6939). They even have an app for the Android .

Re: Destination NAT translation is not working os .5.0.10

pulukas — Sat, 10 Jan 2015 13:38:18 GMT

I would start by filtering your policy logs by the source address of the attempt. Then you can see what policy the traffic is hitting in your firewall. Make sure you do have a logging final deny all policy so it is not silently dropped and that logging is enabled for all policies.

Nat columns can be added to the monitor policy logs so you will also see from here if the traffic is being recognized by any of the nat rules.

Re: Destination NAT translation is not working os .5.0.10

parmas — Sat, 10 Jan 2015 14:13:59 GMT

Just to add something that has not been mentioned... It could be possible that the traffic is indeed reaching the firewall and the NAT itself working properly, but you need to make sure you have a route not only on the firewall to reach the private IP, but also a route configured on the server itself to get back to the outside world through the same firewall interface that was used to forward the incoming packets.

Hope this helps.