https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/149205#M49752 <P>Cool, I create 5 nat rules and working as expected , but is good to know this option to future implementations.</P><P>Thanks a lot for your feedback.</P><P>&nbsp;</P><P>Best regards</P><P>Andres Padilla</P> Thu, 23 Mar 2017 18:06:10 GMT Apadilla 2017-03-23T18:06:10Z https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148753#M49641 <P>Hello ocmmunity,</P><P>&nbsp;</P><P>Do you know if it is possible to do this in the firewall ?</P><P>Name:&nbsp; NAT 1<BR />Source Zone: INTERNET<BR />Destination Zone: INTERNET<BR />Source Address: IP_Public<BR />Destination Address: 1.1.1.1<BR />Service: icmp, tcp/5551, tcp/22, tcp/4443, udp/500, udp/4500<BR />Destination Translation:Device (10.140.2.1)</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</P><P>I know that Destination nat is one - to - one,&nbsp; so in this case</P><P>&nbsp;</P><P>1. I will need to perform one NAT rule to each service. Correct ? In this case, one to allow port 5551, other to allow port 22, etc.</P><P>2. Is poosible that&nbsp;all these rules have the same Destination Address (Destination Address: 1.1.1.1) and same Destination traslation (Destination Translation:Device (10.140.2.1).</P><P>&nbsp;</P><P>3. I have 3 security rules where I'm allowing&nbsp; these services.</P><P>3.1. Rule 1&nbsp; allow the app "icmp",</P><P>3.2&nbsp; Rule 2&nbsp; allow ports 5551, 22 &amp; 4443,</P><P>3.3&nbsp; Rule 3&nbsp; allow ports udp500 / udp4500</P><P>&nbsp;</P><P>++++++++++++++++++++</P><P>&nbsp;</P><P>I appreciate your feedback.</P><P>&nbsp;</P><P>Best Regards</P><P>Andres</P> Tue, 21 Mar 2017 23:35:47 GMT https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148753#M49641 Apadilla 2017-03-21T23:35:47Z https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148789#M49647 <P>If you want to NAT ICMP (or any protocol other than UDP or TCP) you need to use any as service. So I suggest 1 NAT rule with any as a service and do your filtering with firewall rules (which is a good idea in any case).</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Mar 2017 07:57:28 GMT https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148789#M49647 santonic 2017-03-22T07:57:28Z https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148794#M49650 <P>You can combine all the UDP and TCP ports in one single NAT policy, you only need to add a port to the destination translation if you want to change the destination, eg. change incoming port 4443 to 443 on the webserver, but if the destination port does not need to change you can leave the translation port field empty</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="many services nat.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="many services nat.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>the only 'problem' is that ICMP can only be NATed through an 'any' policy so you'll either need to skip ICMP or create an 'any' policy and then filter based on security policies</P> Wed, 22 Mar 2017 09:14:39 GMT https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/148794#M49650 reaper 2017-03-22T09:14:39Z https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/149205#M49752 <P>Cool, I create 5 nat rules and working as expected , but is good to know this option to future implementations.</P><P>Thanks a lot for your feedback.</P><P>&nbsp;</P><P>Best regards</P><P>Andres Padilla</P> Thu, 23 Mar 2017 18:06:10 GMT https://live.paloaltonetworks.com/t5/general-topics/configure-nat-with-multiple-ports/m-p/149205#M49752 Apadilla 2017-03-23T18:06:10Z