topic Re: 2 NAT rules on device in General Topics

2 NAT rules on device

jdprovine — Wed, 29 Sep 2021 16:06:26 GMT

Can anyone tell me the pros and cons of having two nat rules for one device?

Re: 2 NAT rules on device

LAYER_8 — Wed, 29 Sep 2021 16:12:43 GMT

What are you trying to accomplish?

I use 2 NAT rules for the same device via schedules. Off work hours, depending on the console I want to use I change the rules for which console gets 1:1 public IP mapping.

During work hours when the console is sleeping, or pulling updates, it can sit behind everything.

Re: 2 NAT rules on device

jdprovine — Wed, 29 Sep 2021 16:27:19 GMT

@LAYER_8

I am trying to allow a printer on our network scan to a file server folder on an external network, which is easy I can create a nat rule that allows this with no problem. The issue is that a print server on that same remote server has a nat rule to allow a application from their remote network to print the same printer on our local network.. This all occurs across a IPSec tunnel on the PA and the source and destination are natted IP's. Its a direction issue the scan to network goes from trust to VPN and the print server to internal printer goes the other way VPN to untrust. One printer tow functions only works with two nat rules and it not on schedule this solution needs to be applied to over 50 different printers

Re: 2 NAT rules on device

BPry — Thu, 30 Sep 2021 02:43:54 GMT

@jdprovine,

You can have a device with multiple NAT rules without any issue, but the traffic will match the first matching NAT rulebase entry. In the example that you have given that wouldn't be an issue, and there's really no cons for configuration something like that.

Re: 2 NAT rules on device

jdprovine — Thu, 30 Sep 2021 13:00:44 GMT

@BPry

So if they try to do both the printing from the application and the scan to print at the same time they will both work?

Re: 2 NAT rules on device

jdprovine — Thu, 30 Sep 2021 19:20:32 GMT

@BPry

Okay I went ahead and created the second nat rule and everything seems to be working just fine. The only thing I am considering if there is a benefit to creating a separate security rule since it is already using one that is on the firewall

Re: 2 NAT rules on device

BPry — Fri, 01 Oct 2021 01:56:08 GMT

@jdprovine,

If it's working under an existing security rule then whether or not you create a separate one for it is really just an administration decision. Personally I like to keep my rulebase as detailed as possible so I know exactly what the rule is supposed to be allowing, but I know others prefer to keep a cleaner rulebase that isn't as detailed.

Re: 2 NAT rules on device

jdprovine — Mon, 04 Oct 2021 19:38:30 GMT

@BPry So what is your opinion about using a bidirectional nat on the application to print rule to allow access for the scan to the file folder which I guess I would have to add the file server too. I don't like it but my boss asked me to look at it so their aren't so many rules that need to be added

What are the pros and cons of using a bidirectional nat and combining these two rules, won't it keep the the application to printer when the scan to network folder is being used? Is a bidirectional nat rule less secure? The scan to network would then have access to servers it doesn't even scan too as well as the app to printer would have access to a file server it never uses. Anyway looking for the best way to do these two function both in security, number or rules needed.

Re: 2 NAT rules on device

BPry — Tue, 05 Oct 2021 02:05:59 GMT

@jdprovine,

I'd be hesitant to really give an opinion on that without knowing more about how the NAT entry is actually configured. Keeping in mind that bi-directional NATs effectively create the same NAT statement in reverse from the firewalls aspect, that checkbox can create security issues if not properly configured.