topic Re: RDP NAT connection issue? in General Topics https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155003#M51000 <P>I disagree.</P><P>Your Security Policy does NOT need to include internal IP.</P><P>As first is done NAT evaluation. This will tell firewall where packet needs to go to.</P><P>Then security policy is checked.</P><P>And last NAT is applied - just before packet is sent out to wire.</P><P>So security policy is checked when packet still has original IP but destination zone has already been changed in packet metadata.</P> Wed, 03 May 2017 14:27:45 GMT Raido_Rattameister 2017-05-03T14:27:45Z RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/154978#M50992 <P>Hi folks,</P><P>&nbsp;</P><P>For test purposes, I am trying to get RDP to work going through my PA-200 OS 6.1.4 to an internal PC.</P><P>I've been following several articles like this one, but not getting it to work.</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/MS-RDP-NAT-Issue/m-p/15217/thread-id/11171/highlight/true" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/MS-RDP-NAT-Issue/m-p/15217/thread-id/11171/highlight/true</A></P><P>&nbsp;</P><P>I must be doing something wrong since my internet access&nbsp;rules are working fine.</P><P>Anyone see anything in my rules that look wrong?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RDPNAT.jpg" style="width: 764px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9028i76A8D4881745C260/image-dimensions/764x172/is-moderation-mode/true?v=v2" width="764" height="172" role="button" title="RDPNAT.jpg" alt="RDPNAT.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RDPsecurity.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9031iEEBA81D534545642/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="RDPsecurity.jpg" alt="RDPsecurity.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 May 2017 11:58:35 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/154978#M50992 OMatlock 2017-05-03T11:58:35Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155000#M50998 <P>Hey your second line shows your IP so no reason to hide it in first one.</P><P>NAT screenshot does not show right column that should include RDP server internal ip. So can't validate if this is there.</P><P>&nbsp;</P><P>Other thing you can try is to enable bi-directional checkbox on second NAT rule. This will do the trick also create hidden NAT rule for incoming RDP traffic).</P><P>Hidden NAT policy is visible in CLI "show running nat-policy"</P> Wed, 03 May 2017 13:43:57 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155000#M50998 Raido_Rattameister 2017-05-03T13:43:57Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155001#M50999 <P>--- removed&nbsp; ---</P> Wed, 03 May 2017 14:48:22 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155001#M50999 bradk14 2017-05-03T14:48:22Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155003#M51000 <P>I disagree.</P><P>Your Security Policy does NOT need to include internal IP.</P><P>As first is done NAT evaluation. This will tell firewall where packet needs to go to.</P><P>Then security policy is checked.</P><P>And last NAT is applied - just before packet is sent out to wire.</P><P>So security policy is checked when packet still has original IP but destination zone has already been changed in packet metadata.</P> Wed, 03 May 2017 14:27:45 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155003#M51000 Raido_Rattameister 2017-05-03T14:27:45Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155004#M51001 <P>In my experience Raido is correct.&nbsp;</P> Wed, 03 May 2017 14:40:05 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155004#M51001 BPry 2017-05-03T14:40:05Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155013#M51003 <P>you are correct. I completely reversed the policies. I confused myself. apologies.</P> Wed, 03 May 2017 14:49:35 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155013#M51003 bradk14 2017-05-03T14:49:35Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155016#M51006 <P>Thanks folks!&nbsp;</P><P>&nbsp;</P><P>I will follow up and update this post later this evening.</P><P>This is my diagram trying to accomplish.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RDPdiag.jpg" style="width: 722px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9042i4088E43C379B256D/image-dimensions/722x111/is-moderation-mode/true?v=v2" width="722" height="111" role="button" title="RDPdiag.jpg" alt="RDPdiag.jpg" /></span></P><P>&nbsp;</P> Wed, 03 May 2017 16:42:09 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155016#M51006 OMatlock 2017-05-03T16:42:09Z Re: RDP NAT connection issue? https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155113#M51026 <P>Ok, got it!&nbsp; Thank you for the feedback!</P><P>&nbsp;</P><P>I forgot to adjust my gateway on internal server.&nbsp; Also do not need a bi-directional NAT rule.&nbsp; Just D-NAT and Internet S-NAT.</P><P>&nbsp;</P><P>For the record, my correct rules below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RDPsuccess1.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9057i7987C0D950459589/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="RDPsuccess1.jpg" alt="RDPsuccess1.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RDPsuccess2.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9058iD9621DF6F5FF087E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="RDPsuccess2.jpg" alt="RDPsuccess2.jpg" /></span></P> Thu, 04 May 2017 10:16:05 GMT https://live.paloaltonetworks.com/t5/general-topics/rdp-nat-connection-issue/m-p/155113#M51026 OMatlock 2017-05-04T10:16:05Z