MS-RDP NAT Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MS-RDP NAT Issue

L1 Bithead

I am trying to create a static destination NAT to enable RDP access on port 3389 for one of my internal servers, but no matter what I try, it just doesn't seem to work.  I've read through several KB articles as well as https://live.paloaltonetworks.com/docs/DOC-1517 and I've set everything up as it seems it should be, yet no NAT session is ever created.

My policies:

NAT:

Policy 1:

Original Packet:

Source Zone:  untrust

Destination Zone: untrust

Destination Interface:  eth 1/1 (interface ip is 1.2.3.170/29)

Service: Any

Source Address:  Any

Destination Address:  1.2.3.172

Translated Packet:

Source Address Translation:  None

Destination Address Translation:

Translated Address:  172.16.200.11

Translated Port:  <blank>

Policy 2:

Original Packet:

Source Zone:  trust

Destination Zone:  untrust

Destination Interface:  any

Service:  any

Source Address:  172.16.200.11

Destination Address:  any

Translated Packet:

Source Address Translation:

Translation Type:  Static IP

Translated Address:  1.2.3.172

Bi-directional:  no (can't even find documentation on what this is, but I know it's supposed to be "no")

Destination Address Translation:  None

Policy 3:  Dynamic NAT policy that works properly.

Security:

Rule 1:

Source Zone: untrust

Source Address:  any

User: any

Destination Zone:  trust

Destination Address:  172.16.200.11

Application:  Remote Desktop (Application group with ms-rdp and t.120, though I've also tried with "Any")

Service:  Any

Action:  Allow

Log:  both start and end

The outbound NAT (Policy 2) portion works perfectly, and my internal server's source address is properly translated to the external address specified.  The Inbound NAT, however, does not work at all.  I don't see any security flows in the logs or anything else.

I know I'm probably missing something simple, I just can't seem to figure out what that is.

Thanks in advance for any assistance in why this doesn't seem to be working.

1 accepted solution

Accepted Solutions

L6 Presenter

Utilize the public ip address of the server (Destination Address:  172.16.200.11) in your security policy.

View solution in original post

4 REPLIES 4

L6 Presenter

Utilize the public ip address of the server (Destination Address:  172.16.200.11) in your security policy.

It's a little illogical, but it seemed to work.

It's my understanding that security rules are executed after the NAT rule (hence why your destination zone is "trust").  Why would the destination address be the external address if it's supposed to have already been translated?

Took time for me to get this down as well but essentially, 'The addresses in the security policy refer to the IP address in the original packet i.e. the pre translated address. However the destination zone is the zone where the end host is physically connected."

Ahh, I see.  That makes a bit more sense.

Thanks for the help.

  • 1 accepted solution
  • 4915 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!