topic New to PAN - coming from ASA - NAT nightmares in General Topics

New to PAN - coming from ASA - NAT nightmares

darren-bucknell — Tue, 20 Jun 2017 16:44:34 GMT

Hi guys,

I have come from Cisco ASAs whereby it is super easy to create port forwarding/translation - really useful when only have single public IP.

object network web-server

host 192.168.1.10

nat (inside,outisde) static interface service tcp 80 80

access-list outside extended permit any object web-server eq 80

I am finding this impossibly difficult on the Palo! I have created a NAT as follows:

"INBOUND WWW; index: 4" {
nat-type ipv4;
from untrust;
source any;
to untrust;
to-interface ethernet1/1 ;
destination a.b.c.d;
service [ tcp/any/80 tcp/any/8080 ];
translate-to "dst: 172.22.1.10:80";
terminal no;

"UNTRUST TO WEB SERVER; index: 6" {
from untrust;
source any;
source-region none;
to trust;
destination a.b.c.d
destination-region none;
user any;
category any;
application/service web-browsing/tcp/any/80;
action allow;
icmp-unreachable: no
terminal yes;

Access to the webserver is not working and there is nothing in the live traffic logs - I'm sure I am doing something stupid if someone could hlpe...

Cheers,

Darren

Re: New to PAN - coming from ASA - NAT nightmares

darren-bucknell — Tue, 20 Jun 2017 16:51:05 GMT

Fixed it - wrong zone <blush> 🙂

Re: New to PAN - coming from ASA - NAT nightmares

acc6d0b3610eec313831f7900fdbd235 — Tue, 20 Jun 2017 17:01:05 GMT

Hi @darren-bucknell

That's how you need to configure your policy in ordert to allow inbound traffic to your Web Server.

NAT Policy Example

Security Policy Example

Now if you need your WebServer to also access the Internet (Bidirectional) I can give another example, then the NAT policy will work a little bit different.

Let me know how it goes.

Re: New to PAN - coming from ASA - NAT nightmares

darren-bucknell — Tue, 20 Jun 2017 17:15:10 GMT

Hey thanks for this Willian!

I used the "application (web-browsing)" ID and it worked.

Basically, I am getting used to the PAN zonal configuration that the ASA has no concept of. It's a learning curve but will be worth it.

Best regards,

Darren

Re: New to PAN - coming from ASA - NAT nightmares

darren-bucknell — Tue, 20 Jun 2017 17:16:11 GMT

The web server does have a dynamic NAT (overload) policy configured. Is there a better way?

Thanks in advance,

Darren

Re: New to PAN - coming from ASA - NAT nightmares

acc6d0b3610eec313831f7900fdbd235 — Tue, 20 Jun 2017 17:40:21 GMT

@darren-bucknell

No problem, you can definitely use the web-browsing App-ID. Just a heads up that if you use the service-http as service and web-browsing, you will be locking down the use of the application to port tcp/80 and tcp/8080 :). In most cases I typically leave the service field as Application-default, unless the application has a different specification.

If your application uses web-browsing, but do HTTP over a different port than i.e 5000, then obviously, you have to create a service object and then specify that in the service cell in the policy 🙂

Re: New to PAN - coming from ASA - NAT nightmares

acc6d0b3610eec313831f7900fdbd235 — Tue, 20 Jun 2017 17:46:00 GMT

I would simply configure it the NAT policy as bidirectional policy instead. This way, the server can receive inbound traffic and send traffic out at the same time.

Maybe these two articles here will help you.

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat-policies

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

Re: New to PAN - coming from ASA - NAT nightmares

darren-bucknell — Tue, 20 Jun 2017 18:06:05 GMT

Thanks Willian,

I only have a single public IP address and have dynamic NAT rules configured for the DMZ and other subnets. Wouldn't a biderctional NAT (only available for a static IP) break general PAT?

PAN-OS certainly does things differently to Cisco ASA!