topic Re: help with NAT in General Topics

help with NAT

bwfreas — Thu, 13 Apr 2017 05:51:14 GMT

hello im wondering if anyone can help a PAFW newbie with configuring some nat that i am trying to pass through. i dont know how my security & nat rules should look but this is what i have configured:

security rule: source zone (untrust) source address (any) destination zone (untrust) destination 99.99.99.13 Accept
nat rule: source zone (untrust) source address (any) destination zone (untrust) destination address 99.99.99.13 destination translation (10.10.1.4)

I did NOT set up any kind of proxy arp - believe that is unneeded?

when i attempt to contact my PAFW on https://99.99.99.13 i see traffic from untrust to untrust application "incomplete", action "allow", session end reason "aged out"

i must be missing something somewhere?

thank you in advance

Re: help with NAT

bradk14 — Wed, 12 Apr 2017 17:11:15 GMT

so I need to ask. is this a production environment? even if you are using private IPs for a machine, you usually wouldn't want the untrust to be able to access the trust network in a traditional network environment. if any machine on the 10.1..1.0/24 network gets compromised (or whatever the subnet mask is), it has unfiltered access to all machines on that same subnet (save for host based firewalls). even if your trust zone is subnetted, the default PA rule allows traffic between same zones. all this can be worked around of course, but best practice would be to have a DMZ zone where you can at least have a tighter control on access.

okay, soapbox aside...

the general rule here is that on your security policy, you use pre-nat IPs and post-nat zones. So in this example, your security policy should be something like:

source zone: untrust

source ip: any

destination zone: trust

destination ip: 99.99.99.13

without seeing it laid out from the GUI, your destination NAT sounds correct, however.

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples#_58788 should help.

Re: help with NAT

TranceforLife — Wed, 12 Apr 2017 18:03:32 GMT

Agree with @bradk14 as more info needed. Usually, "aged-out" as a session end reason is not a good sign and most of the time indicates an issue with a 3-way handshake. Can you ping an internal server from the firewall? Do you see any bytes received in the session logs?

Re: help with NAT

ansharma — Thu, 13 Apr 2017 00:30:21 GMT

Destination zone in security policy needs to be 'Trust'. Rest looks fine.