https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/93#M70 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/28274">bdunbar</A> ,</P><P></P><P>Outbound nat is straight forward, from trust to untrust nat to this address. Or this specific source gets natted to this destination address.</P><P></P><P>Inbound nat is however tricky. ie. if you have a host that is reachable from outside on address 1.1.1.1 and private address of 192.168.1.1, your nat will look like following :</P><P></P><P>From Untrust to Untrust any source to destination 1.1.1.1 translate to 192.168.1.1</P><P></P><P>Security policy :</P><P></P><P>From Untrust to Trust from any source to destination 1.1.1.1 allow</P><P></P><P>You are already reading Understanding NAT-4.1-RevC, this should give you more insight into its working. Hope this helps. Thank you.</P></BODY></HTML> Wed, 03 Dec 2014 00:47:35 GMT ssharma 2014-12-03T00:47:35Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/92#M69 <HTML><HEAD></HEAD><BODY><P>PAN-200</P><P>PAN OS 6.0.0.</P><P></P><P>I've been directed to implement NAT on our PAN-200.&nbsp; Given that this will disrupt current traffic, I've scheduled tomorrow night to make it happen.</P><P></P><P>I'm reading 'PAN-OS Administrator's Guide Version 6.0' - it seems reasonably straightforward.</P><P></P><P>I'm about to dive into 'Understanding NAT-4.1-RevC'.</P><P></P><P>Are there any gotchas, problems, boners, things to look out for, issues, or headaches I should be aware of before I pull the trigger?</P></BODY></HTML> Tue, 02 Dec 2014 23:14:08 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/92#M69 bdunbar 2014-12-02T23:14:08Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/93#M70 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/28274">bdunbar</A> ,</P><P></P><P>Outbound nat is straight forward, from trust to untrust nat to this address. Or this specific source gets natted to this destination address.</P><P></P><P>Inbound nat is however tricky. ie. if you have a host that is reachable from outside on address 1.1.1.1 and private address of 192.168.1.1, your nat will look like following :</P><P></P><P>From Untrust to Untrust any source to destination 1.1.1.1 translate to 192.168.1.1</P><P></P><P>Security policy :</P><P></P><P>From Untrust to Trust from any source to destination 1.1.1.1 allow</P><P></P><P>You are already reading Understanding NAT-4.1-RevC, this should give you more insight into its working. Hope this helps. Thank you.</P></BODY></HTML> Wed, 03 Dec 2014 00:47:35 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/93#M70 ssharma 2014-12-03T00:47:35Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/94#M71 <HTML><HEAD></HEAD><BODY><P>Just an heads-up, if you have any internal server to access from LAN: <A href="https://live.paloaltonetworks.com/docs/DOC-1678">How to Configure U-Turn NAT</A></P><P></P><P>Thanks</P></BODY></HTML> Wed, 03 Dec 2014 04:53:58 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/94#M71 HULK 2014-12-03T04:53:58Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/95#M72 <HTML><HEAD></HEAD><BODY><P>As ssharma mentioned, Destination NAT configuration can be tricky.</P><P>Here's a video tutorial that guides you through its configuration.</P><P></P><P><A href="https://live.paloaltonetworks.com/videos/1550"> Video Link : 1550</A></P><P></P><P>Bi-Directional rules are not one of my favorite features, it attempts to simplify configuration and by doing so obscures sections of the configuration. If you choose to use Bi-Directional NAT rules, make sure to review the rules that have been implicitly created with command:</P><P></P><P>&gt; show running nat-policy</P><P></P><P>Source NAT is pretty straightforward. One gotcha is that if you're trying to ping (or terminate any connection on one of the firewall's own interfaces), your source IP may be changed with the NAT policy, resulting in a LAND attack, thus having packets dropped. Make sure to configure No-NAT rules for connections that are intended to terminate in the firewall's own interfaces.</P></BODY></HTML> Tue, 30 Dec 2014 23:50:01 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/95#M72 mivaldi 2014-12-30T23:50:01Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/96#M73 <HTML><HEAD></HEAD><BODY><P>I also like to keep things simple. Let a NAT rule be a NAT rule and let the security rule handle hte security. That is I try not to use ports in my NAT rules, especially since I write my security rules using application and not specific ports.</P></BODY></HTML> Wed, 31 Dec 2014 22:40:17 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/96#M73 oklier 2014-12-31T22:40:17Z https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/97#M74 <HTML><HEAD></HEAD><BODY><P>You can keep it simple as you like if you have enough nat address space that you don't need to share addresses to the multiple servers.&nbsp; We just don't always have that luxury.</P></BODY></HTML> Thu, 01 Jan 2015 13:12:41 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-tips-and-gotchas/m-p/97#M74 pulukas 2015-01-01T13:12:41Z