topic Re: DMZ, inside, outside - is it simple thing? in General Topics

DMZ, inside, outside - is it simple thing?

mxe2fmk — Sun, 22 Mar 2020 14:39:01 GMT

Hi there.

I have a PA-200.

Internal net is 192.168.0.0/24 eth1/2 , inside L3 interface (default gw) - 192.168.0.254

One external ip address is using for outside inteface, eth1/1.

For connection to Internet I typically use pair inside-outside with:

1. NAT : dynamic-ip-and-port to outside interface address nat-rule

2. Security policy "allow from inside to outside , any dest address"

Now, I need provide access for FTP-Server. I created DMZ interface eth1/3 - 172.16.0.254/24

FTP-Server is directly-connected to DMZ-port and has ip 172.16.0.1

For this scenario i created

1. NAT : bi-directional between FTP-Server and Outside .

2. Security policy for Outside and DMZ.

What I can do as next step for provide connection between inside and DMZ?

I create security policy allow inside-dmz (to 172.16.0.0/24) and dmz-inside (to 192.168.0.0/24)

If i do ping 172.16.0.1 from 192.168.0.1 than i see that all packets are matching to first NAT-rule "inside to outside" and that is wrong way.

What is wrong in my steps? How I can exclude traffic from "default "NAT-rule. Althought I tryed create no-nat rule than it do not work.

Thank for help.

Re: DMZ, inside, outside - is it simple thing?

kiwi — Mon, 23 Mar 2020 07:47:42 GMT

Hi @mxe2fmk ,

Methinks you'll be needing U-turn NAT.

Check out the following links on the topic:

HOW TO CONFIGURE U-TURN NAT

DOTW: U-TURN NAT ISSUE

Video tutorial: U-turn NAT

Hope it helps,

-Kiwi.

Re: DMZ, inside, outside - is it simple thing?

reaper — Mon, 23 Mar 2020 12:16:34 GMT

your default NAT rule must be wrong

my guess is that you didn't add zones properly and one or all zone fields contain an ANY

your nat rules should be

FROM internet TO internet DO destination translation to FTP-internal (don't do bidirectional)

FROM lan & dmz TO internet DO dynamicIP/port sourcenat

this way your connection from 192.168 to 172.16 can never hit a NAT rule and you'll be good to go

Re: DMZ, inside, outside - is it simple thing?

Mike-K — Mon, 23 Mar 2020 13:46:13 GMT

Try the following:

- eth1/2 IP address 192.168.0.254/24
- eth1/3 IP address 172.16.0.254/24
- Create a service group object with all the ports for the FTP service. [svc-group-ftp]
- FTP server's IP 172.16.0.1/24 and gateway 172.16.0.254
- Security rule to allow desired traffic from inside to DMZ, and from DMZ to inside. This one you have already.
- Source NAT rule dynamic-ip-and-port from DMZ to outside eth1/1 to enable the FTP server to access the internet. Same as the one you have for inside zone but for DMZ. You can also keep the one you have and add the DMZ zone in the src zones.
- Destination NAT rule for outside traffic to your DMZ
src zone outside, dst zone outside, dst interface eth1/1, service [svc-group-ftp], src address any, dst address [your-public-ip], src transation none, dst transation static ip 172.16.0.1
- Security rule to allow outside traffic to DMZ FTP server
src zone outside, src address any, dst zone dmz, dst address [your-public-ip], application any, service [svc-group-ftp]

Re: DMZ, inside, outside - is it simple thing?

mxe2fmk — Mon, 23 Mar 2020 19:01:22 GMT

I found out that U-turn NAT is possible scenario for one-zone ( inside ), and isn't for using with inside-dmz pair.

Re: DMZ, inside, outside - is it simple thing?

mxe2fmk — Mon, 23 Mar 2020 19:07:42 GMT

Only one NAT rule

name: NATbase

src zone: inside

dst zone: outside

dest int: eth1/1

src addr: any

dst addr: any

service: any

src translation: dynamic-ip-port, eth1/1 , outside_ip

Re: DMZ, inside, outside - is it simple thing?

mxe2fmk — Mon, 23 Mar 2020 19:13:33 GMT

Ok, I unerstand this example.

Could You please additional moment - what's about NAT rule "inside to outside"?