topic Re: Destination NAT not working in General Topics

Destination NAT not working

digitaltrance — Thu, 29 Mar 2018 18:21:29 GMT

Hello all,

I am having issues with my NAT config. I have everything from this doc completed but not seeing any traffic hit my outside interface in the logs.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping

I basically have a Synology NAS im trying to do port forwarding into from the outside.

I have a rule to log all blocked traffic from the external interface but not seeing anything hit the outside (is an easier way to see all blocked traffic without creating a rule for it?)

I did verify the Public IP address as well.

Any ideas?

See screenshots for NAT, Policy configs.

Thanks in advance!

Charles

Re: Destination NAT not working

JoeAndreini — Thu, 29 Mar 2018 18:30:39 GMT

You can override the default deny rule to add logging, select it and hit the "orange and green" splat at the bottom of the screen.

Is your policy set to log at session start or session end? if session end, it will nto log until a session ends (obviously) - you may see open sessions in the session browser.

Assuming that 192.168.1 IP address is in the Internal-L3 zone, your policies look good to me. Did this work previously, or is it a new configuration?

Re: Destination NAT not working

gwesson — Thu, 29 Mar 2018 18:32:11 GMT

Your config looks good, and it tripped me up a bit because my Synology NAS is also on 192.168.1.25.

Make sure that your NAS has a route that takes it through the firewall. It can't just go through on any interface, it has to match the interface that sent the NAT external traffic to your NAS.

You can also try doing source NAT on your inbound NAT rule for the NAS as well. Set the source NAT to be the IP of the firewall's Internal-L3 interface.

Re: Destination NAT not working

digitaltrance — Thu, 29 Mar 2018 18:52:54 GMT

Thanks for the quick reply folks! I will try these and let you know.

Re: Destination NAT not working

digitaltrance — Thu, 29 Mar 2018 18:53:58 GMT

This is a new config.

Re: Destination NAT not working

digitaltrance — Thu, 29 Mar 2018 19:23:03 GMT

Question: If I am accepting SSL VPN clients on the same external interface/IP, does that cause issues for port forwarding?

Re: Destination NAT not working

gwesson — Thu, 29 Mar 2018 23:07:08 GMT

> Question: If I am accepting SSL VPN clients on the same external interface/IP, does that cause issues for port forwarding?

Only if it's on the same port. If your SSL VPN is using 443, it won't have any affect on any other ports (like 5001 or 22).

If you're trying to forward 443 though, something will break. The packet comes to the firewall only as a SYN on port 443, so the firewall won't know if it's destined for its own interface for GlobalProtect or if it should forward it to the server. It'll pick one, but I'm not sure which offhand.