topic Re: outside to inside nat tcp and udp specific? in General Topics

outside to inside nat tcp and udp specific?

chuckles — Tue, 07 May 2019 19:02:50 GMT

i have a situation where outside users will tupe in a public ip which the palo alto will nat it into a inside privtae address like

destination "public" x.x.x.x port udp 8443 >>> translated destination "private" y.y.y.y udp 8443

,but when i tired to do it i couldnt set the tanslated address port to tcp or udp? does it take the same tcp or udp set in the original service port?

also is my config correct for this nat?

Re: outside to inside nat tcp and udp specific?

jeremy.larsen — Tue, 07 May 2019 19:44:50 GMT

You have to have a matching firewall rule that is going to allow TCP/UDP/etc. NAT doesn't really care about the protocol. Also, you might want to consider using APP-ID instead of a blanket Port/Protocol statement for your inbound firewall rule. Personally I don't like port forwarding if I can avoid it (can cause all sorts of NAT frustrations). Get another IP from your ISP if you can. If you have multiple services, look into a good load balancer or application delivery platform (ie - F5/Citrix offerings).

Re: outside to inside nat tcp and udp specific?

chuckles — Tue, 07 May 2019 19:53:12 GMT

but is my nat rule correct?

if i set the original traffic coming into udp 8443 , does the translated private ip also use udp? as there is no option to use udp or tcp in the translated port

also how the firewall rule should be for the destination? should i make the (outisde>>inside) rule destination ip the translated private ip or the public ip?

Re: outside to inside nat tcp and udp specific?

OtakarKlier — Tue, 07 May 2019 20:49:29 GMT

Hello,

Yes as far as protocol, if its UDP then its UDP all the way from source to destination, same for TCP. Also here is a good example for NAT:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

I also agree with @jeremy.larsen , let the NAT just to IP translation and let the security policy do the policing.

Regards,

Re: outside to inside nat tcp and udp specific?

chuckles — Tue, 07 May 2019 20:54:56 GMT

but how the security policy destination ip should be , is it the public ip or the translated private ip like:-

allow outisde to inside , source any ip , destination "public" or "translated private ip"???

Re: outside to inside nat tcp and udp specific?

OtakarKlier — Tue, 07 May 2019 21:03:15 GMT

Here is a good example of a destination NAT. I believe this is what you are looking for.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping.html

So in your case the source and destination is Outside, dont select an interface or service, destination IP is the Public IP of your server.

Translated packet: just put the internal IP of your server

Then the security policies should be Source "outside' destination inside address of the Public IP of your server and then select the application and server here.

Hope that makes sense. The picture of the rules in the link should be all you need.