Destination NAT to other Port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Destination NAT to other Port

L4 Transporter

Hey all,

there is a ssh server in an internal network. I want to access that server from public, but with source port for example 11111. The server listens on normal ssh port 22.

So I would like the firewall to do a port translation from 11111 to 22.

Is that possible?

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hey @MPI-AE

 

Yep this is totally possible. First create a new service for tcp/11111 then create a new NAT rule as follows:

Source Zone: Untrust

Source IP: Any

Destination Zone: Untrust

Destination IP: {Public IP}

Service: New service you created for 11111 

Translated packet tab:

    Destination Translation:

        Static IP: {Private IP}

        Translated Port: 22

 

Of course you will then need a security policy rule to allow the traffic

Source Zone: Untrust

Source IP: Any (Preferable to limit this if you can)

Destination Zone: {Zone that private IP resides in, Trust etc.}

Destination IP: {Public IP}

Application: ssh

Service: application-default

 

Cheers,

Luke.

 

 

View solution in original post

4 REPLIES 4

L5 Sessionator

Hey @MPI-AE

 

Yep this is totally possible. First create a new service for tcp/11111 then create a new NAT rule as follows:

Source Zone: Untrust

Source IP: Any

Destination Zone: Untrust

Destination IP: {Public IP}

Service: New service you created for 11111 

Translated packet tab:

    Destination Translation:

        Static IP: {Private IP}

        Translated Port: 22

 

Of course you will then need a security policy rule to allow the traffic

Source Zone: Untrust

Source IP: Any (Preferable to limit this if you can)

Destination Zone: {Zone that private IP resides in, Trust etc.}

Destination IP: {Public IP}

Application: ssh

Service: application-default

 

Cheers,

Luke.

 

 

Hey Luke,

that works, thank you!

The only thing I had to adjust was the Application in the policy rule: App any and select service tcp 11111.

In the Security Policy, you can use application=ssh and service=same service object you used in the NAT policy (11111).

All of my rules that are one NAT and one Security for a given access work, but I have a unique rule that does not seem to be working correctly. I have four NAT rules for a given public IP that use different service ports that I created destined for unique IPs with the same port. 

 

Example:

NAT1 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-1234 service, destination translation is IP: 1.1.1.1 on Port: 2222

NAT2 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-4321 service, destination translation is IP: 1.1.1.2 on Port: 2222

NAT3 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-5678 service, destination translation is IP: 1.1.1.3 on Port: 2222

NAT4 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-2222 service, destination translation is IP: 1.1.1.4 on Port: 2222

 

I have one security rule that includes all four services and ANY app with the public IP and untrust/untrust zones. 

 

Note that the only NAT rule that hits is NAT4 where the ports are the same. None of the others hit and the security rule allows traffic to only the #4 server. When users try to access with the other service ports, they get no response and NAT1-3 are currently labeled as UNUSED. 

 

Am I going to have to divide the security rule up? Or is there something I can do to get it to recognize the different ports when they are attempted?

 

PAN-OS v9.0.4

 

 

  • 1 accepted solution
  • 5942 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!