Static NAT with Port Translation

Reply
L2 Linker

Static NAT with Port Translation

Dears,

I'm migrating some NAT rules from Cisco ASA to PAN Firewall. I don't know how to migrate a static NAT with Port Translation like the follwing example:

 

static (dmz,outside) tcp Public_IP  443 Private_IP 80 netmask 255.255.255.255

 

this static in ASA means the outside connection will be directed to the public IP and the port of 443 and ASA will divert the request to the private IP on port.

 

do you have any on how to do over PaloAlto

L6 Presenter

Re: Static NAT with Port Translation

hello,

 

This guy helped me to understand NAT policy configuration with port translation:

 

https://www.youtube.com/watch?v=aVXzzZEgIA4

 

Thx,

Myky

L4 Transporter

Re: Static NAT with Port Translation

Hi,

 

This would be a destination NAT, so you would configure a NAT rule that has an original packet source & destination zone of 'outside' , destination address of your public IP and the port the outside user is connecting to.

 

You would then configure in the translated packet part of the rule the destination side, put in the private IP & port that the traffic is to be translated to.

 

You can watch this video to help as well:

https://live.paloaltonetworks.com/t5/Videos/How-to-Configure-Destination-NAT-on-the-PAN-OS-UI/ta-p/5...

 

For the security rule, you will need to use the source zone of the pre-NAT zone, in this case 'outside' and the destination zone will be the post-NAT zone, DMZ.

 

hope this helps,

Ben

Highlighted
L1 Bithead

Re: Static NAT with Port Translation

Remember to create the Policy rule to allow the traffic that is being NATed.  Your destination zone will be the DMZ, put your destination IP has to be the public IP.  In your configuration, you may run into an ssl issue.  The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

 

The above videos will make it clear as well.

L1 Bithead

Re: Static NAT with Port Translation

Remember to create the Policy rule to allow the traffic that is being NATed.  Your destination zone will be the DMZ, but your destination IP has to be the public IP.  In your configuration, you may run into an ssl issue.  The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

 

The above videos will make it clear as well.

L2 Linker

Re: Static NAT with Port Translation

Nat Rule:

Source Zone: untrust

Dest Zone: untrust (same)

Dest int: none

Source address: any (you will filter by the security rule)

Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing

 

Translated Packet

Source Translation: None

Destination Translation:Private ip of the server

Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding,

 

Sec Policy:

Source Zone: untrust

Desintation Zone: trust (or the zone where the server being published sits)

Destination Address: THE PUBLIC IP assigned

Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)

 

L2 Linker

Re: Static NAT with Port Translation

Dears,

Thanks all for clarifying a soluton for such NAT scenario.

I think there sholuld be a document for different NAT scenarios to compare between ASA and PAN.

 

Thanks all.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!