topic Re: Destination NAT to other Port in General Topics

Destination NAT to other Port

MPI-AE — Fri, 11 Jan 2019 09:06:40 GMT

Hey all,

there is a ssh server in an internal network. I want to access that server from public, but with source port for example 11111. The server listens on normal ssh port 22.

So I would like the firewall to do a port translation from 11111 to 22.

Is that possible?

Re: Destination NAT to other Port

LukeBullimore — Fri, 11 Jan 2019 09:34:13 GMT

Hey @MPI-AE

Yep this is totally possible. First create a new service for tcp/11111 then create a new NAT rule as follows:

Source Zone: Untrust

Source IP: Any

Destination Zone: Untrust

Destination IP: {Public IP}

Service: New service you created for 11111

Translated packet tab:

Destination Translation:

Static IP: {Private IP}

Translated Port: 22

Of course you will then need a security policy rule to allow the traffic

Source Zone: Untrust

Source IP: Any (Preferable to limit this if you can)

Destination Zone: {Zone that private IP resides in, Trust etc.}

Destination IP: {Public IP}

Application: ssh

Service: application-default

Cheers,

Luke.

Re: Destination NAT to other Port

MPI-AE — Fri, 11 Jan 2019 14:12:59 GMT

Hey Luke,

that works, thank you!

The only thing I had to adjust was the Application in the policy rule: App any and select service tcp 11111.

Re: Destination NAT to other Port

fjwcash — Fri, 11 Jan 2019 21:25:57 GMT

In the Security Policy, you can use application=ssh and service=same service object you used in the NAT policy (11111).

Re: Destination NAT to other Port

kprewitt — Fri, 14 Feb 2020 17:58:11 GMT

All of my rules that are one NAT and one Security for a given access work, but I have a unique rule that does not seem to be working correctly. I have four NAT rules for a given public IP that use different service ports that I created destined for unique IPs with the same port.

Example:

NAT1 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-1234 service, destination translation is IP: 1.1.1.1 on Port: 2222

NAT2 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-4321 service, destination translation is IP: 1.1.1.2 on Port: 2222

NAT3 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-5678 service, destination translation is IP: 1.1.1.3 on Port: 2222

NAT4 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-2222 service, destination translation is IP: 1.1.1.4 on Port: 2222

I have one security rule that includes all four services and ANY app with the public IP and untrust/untrust zones.

Note that the only NAT rule that hits is NAT4 where the ports are the same. None of the others hit and the security rule allows traffic to only the #4 server. When users try to access with the other service ports, they get no response and NAT1-3 are currently labeled as UNUSED.

Am I going to have to divide the security rule up? Or is there something I can do to get it to recognize the different ports when they are attempted?

PAN-OS v9.0.4