topic What is the destination NAT configuration for Ping & trace-rout in General Topics

What is the destination NAT configuration for Ping & trace-rout

Mohammed_Yasin — Thu, 25 Jun 2020 11:19:42 GMT

Need to allow ping & trace route from Internet(outside) to Trust (Inside).

What need to be configured in Destination NAT to allow ping & traceroute ?

Re: What is the destination NAT configuration for Ping & trace-rout

Mohammed_Yasin — Thu, 25 Jun 2020 14:25:14 GMT

Continue of same...

security policy section we allow the ping & trace route application.

What is the service should be allowed in NAT policy for ping & trace-route ?

I do not want to configure ‘any any’ service in NAT policy to allow ping & trace-route ?

Re: What is the destination NAT configuration for Ping & trace-rout

shawnhafen — Thu, 25 Jun 2020 18:23:18 GMT

If you are using the app-id/layer 7 in the policy then recommend using "Application default" for the service. You should not have to specify ports unless they are non-standard for the application in question.

Re: What is the destination NAT configuration for Ping & trace-rout

Mohammed_Yasin — Thu, 25 Jun 2020 20:35:32 GMT

Thanks for the update..

Already I am using the application default...

But its I can use service in NAT policy instead of ANY and I want to use multiple services in nat policy rule.. it's possible to have in Orignal packet translation section

Its recommended ?

Re: What is the destination NAT configuration for Ping & trace-rout

Mohammed_Yasin — Thu, 25 Jun 2020 20:36:23 GMT

Thanks for the update. Already I am using the application default... But its I can use service in NAT policy instead of ANY and I want to use multiple services in the nat policy rule. it's possible to have in the Orignal packet translation section Its recommended?

Re: What is the destination NAT configuration for Ping & trace-rout

BPry — Thu, 25 Jun 2020 21:32:08 GMT

@Mohammed_Yasin,

I don't believe this is possible without an 'any' service entry. ICMP traffic doesn't function on a L4 basis. The firewall takes the ID and sequence fields from the ICMP header and treats them the same as if they were ports, which is why setting the service to any works fine. PAN doesn't really have true support for making an ICMP NAT entry.

Re: What is the destination NAT configuration for Ping & trace-rout

Mohammed_Yasin — Sun, 28 Jun 2020 06:10:04 GMT

Thanks for the update,

and for traceRoute in Nat Policy ?

Re: What is the destination NAT configuration for Ping & trace-rout

BPry — Sun, 28 Jun 2020 16:37:50 GMT

@Mohammed_Yasin,

Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.

Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound.

Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?