https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7146#M5278 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/14223">MemphisBrothers</A></P><P></P><P>Considering that the license server is in the dmz-L3 zone and the traffic is coming from the untrust-L3 zone, here is how you would go about creating service objects, NAT rule and security rule</P><P></P><P><STRONG>Service Objects (Source port kept empty):</STRONG></P><P><IMG alt="" class="jiveImage" height="147" src="https://live.paloaltonetworks.com/legacyfs/online/9850_pastedImage_3.png" width="1340" /></P><P></P><P></P><P><STRONG>Security Rule ( from untrust-L3 to dmz-L3):</STRONG></P><P><IMG alt="" class="jiveImage" height="107" src="https://live.paloaltonetworks.com/legacyfs/online/9848_pastedImage_1.png" width="1354" /></P><P></P><P></P><P><STRONG>NAT Rule ( from untrust-L3 to untrust-L3):</STRONG></P><P><IMG alt="" class="jiveImage" height="128" src="https://live.paloaltonetworks.com/legacyfs/online/9849_pastedImage_2.png" width="1345" /></P><P></P><P>For future reference you refer the following document:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1517">Understanding PAN-OS NAT</A> (Page 19 -21 explains your scenario)</P><P></P><P></P><P>Hope the above configuration helps you.</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 19 Nov 2013 19:32:18 GMT kadak 2013-11-19T19:32:18Z https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7145#M5277 <HTML><HEAD></HEAD><BODY><P>I have an internal licenses server that users need to access from the internet, 10.1.3.21.&nbsp; The The external exposed ip is 216.55.55.10</P><P>The application on the users computer needs the following TCP ports open through the firewall so that client workstations are able to obtain a license from your license server system.</P><P><STRONG>lmgrd.exe</STRONG> needs INCOMING TCP ports 27000 to 27009 and <STRONG>adskflex.exe</STRONG> needs 2080.&nbsp; What is the easiest way to&nbsp; address this?</P><P></P><P>We need a natting rule correct?&nbsp; What type.</P><P>Once I figure out the natting rule then I can created policies to allow application traffic on the necessary ports.&nbsp; Unless there is an exev simpler way to create it all.&nbsp; Ideas welcome</P></BODY></HTML> Tue, 19 Nov 2013 02:43:43 GMT https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7145#M5277 MemphisBrothers 2013-11-19T02:43:43Z https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7146#M5278 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/14223">MemphisBrothers</A></P><P></P><P>Considering that the license server is in the dmz-L3 zone and the traffic is coming from the untrust-L3 zone, here is how you would go about creating service objects, NAT rule and security rule</P><P></P><P><STRONG>Service Objects (Source port kept empty):</STRONG></P><P><IMG alt="" class="jiveImage" height="147" src="https://live.paloaltonetworks.com/legacyfs/online/9850_pastedImage_3.png" width="1340" /></P><P></P><P></P><P><STRONG>Security Rule ( from untrust-L3 to dmz-L3):</STRONG></P><P><IMG alt="" class="jiveImage" height="107" src="https://live.paloaltonetworks.com/legacyfs/online/9848_pastedImage_1.png" width="1354" /></P><P></P><P></P><P><STRONG>NAT Rule ( from untrust-L3 to untrust-L3):</STRONG></P><P><IMG alt="" class="jiveImage" height="128" src="https://live.paloaltonetworks.com/legacyfs/online/9849_pastedImage_2.png" width="1345" /></P><P></P><P>For future reference you refer the following document:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1517">Understanding PAN-OS NAT</A> (Page 19 -21 explains your scenario)</P><P></P><P></P><P>Hope the above configuration helps you.</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 19 Nov 2013 19:32:18 GMT https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7146#M5278 kadak 2013-11-19T19:32:18Z https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7147#M5279 <HTML><HEAD></HEAD><BODY><P>Using this as a guide I was able to get what I needed to accomplish.&nbsp; Thanks a lot.&nbsp; </P></BODY></HTML> Thu, 12 Dec 2013 01:20:01 GMT https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7147#M5279 MemphisBrothers 2013-12-12T01:20:01Z https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7148#M5280 <HTML><HEAD></HEAD><BODY><P>An addendum to this.&nbsp; Turns out I only needed a rule for inbound traffic only.&nbsp; </P></BODY></HTML> Fri, 07 Mar 2014 01:01:31 GMT https://live.paloaltonetworks.com/t5/general-topics/what-type-of-policy-rules-do-you-need-to-access-an-internal/m-p/7148#M5280 MemphisBrothers 2014-03-07T01:01:31Z