U-NAT Double NAT - DNAT

Metgatz — Sun, 15 Aug 2021 23:31:36 GMT

Good morning, first of all thank you very much for your support.

I have the following case scenario:

FQDN: Dyndns ( paloalto01xxxalias.dynalias.net )
Modem/router/ADSL dynamic IP Public
Modem/router/ADSL LAN IP 192.160.1.254
Modem/router/ADSL NAT1-1 to Palo Alto Wan External Interface
Palo Alto Wan Interface 192.168.1.74 Gateway: 192.168.1.254

Palo Alto Dnat 192.168.1.74 port 9000 to LAN ( Palo Alto Lan ) 192.100.11.90 Port 9000.

Palo Alto Dnat 192.168.1.74 port 8000 to LAN ( Palo Alto Lan ) 192.100.11.90 Port 8000.

Internet----FQDN-Dyndns-----WAN:dynamic IP Public-Modem/router/ADSL---NAT:1:1----WAN Palo Alto Palo Alto----LAN Palo ALto----- 192.100.11.90 and 192.100.11.80 ( LAN Servers ).

DNAT details:
-DNAT External zone ---- 192.168.1.74 ---- LAN zone ---- IP 192.100.11.90.
Services: TCP_9000 ( TCP:9000 )---Operates OK from outside.

-DNAT External zone ---- 192.168.1.74 ---- LAN zone ---- IP 192.100.11.80
Services: TCP_8000 ( TCP:8000 )---Operates OK from outside.

When I perform the DNAT, from the outside it operates correctly OK. Since the connections when arriving and entering to the modem, pointing to the FQDN of dyndns, when arriving to the Modem/Router are nated to the Palo Alto to its WAN interface, the high stick then applies the DNAT ( detailed above ) and forwards it to the IP 192.100.11.90:9000 and 192.100.11.80:8000 this OK, correctly.

The problem occurs when, from the local network 192.100.11.0/24 and the other two networks 192.100.13.0/24 and 192.100.14.0/24, you try to go to the FQDN paloalto01xxxalias.dynalias.net the DNAT is not applied.

Try to perform a U-NAT as I have applied in other cases, from other firewalls.
In this case I have a DOUBLE NAT, the equipment MODEM/Router ( Nat:1:1 ) and the firewall Palo Alto, therefore if I try to apply the UNAT, in theory it is like that:

Source: LAN Network, LAN2 Network, LAN3 Network
Destination: External WAN: 192.168.1.74 ( IP wan of the Palo Alto )
Service: TCP:8000 port
Then 192.100.11.80 ( LAN IP ) Port 8000. This does not work because I must and need to reach the FQDN paloalto01xxxalias.dynalias.net, not the WAN IP of Palo Alto, and from there the NAT must go down.

Try to perform another U-NAT, as follows:

First create an address object as FQDN: paloalto01xxxalias.dynalias.net.

Generate the Dnat rule as follows:

Source: LAN Network, LAN2 Network, LAN3 Network
Destination: External WAN Destination Address FQDN: paloalto01xxxalias.dynalias.net
Service: TCP:8000 port
Destination Translate ( 192.168.1.74) 8000 tcp Port

And this didn't work either.

Please your help and support, to see how I can do that from the LAN networks to reach the FQDN paloalto01xxxalias.dynalias.net and that the DNAT is applied correctly.
From external networks and from the outside, if it works correctly.

Thank you very much, I remain attentive, best regards.

Re: U-NAT Double NAT - DNAT

SutareMayur — Mon, 16 Aug 2021 06:23:09 GMT

Hi @Metgatz ,

You can verify below KB article which gives all the steps to allow such traffic flow.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

Hope it helps!

topic U-NAT Double NAT - DNAT in General Topics

U-NAT Double NAT - DNAT

Re: U-NAT Double NAT - DNAT