2 NAT rules on device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

2 NAT rules on device

L4 Transporter

Can anyone tell me the pros and cons of having two nat rules for one device?

8 REPLIES 8

L5 Sessionator

What are you trying to accomplish? 

 

I use 2 NAT rules for the same device via schedules. Off work hours, depending on the console I want to use I change the rules for which console gets 1:1 public IP mapping. 

 

During work hours when the console is sleeping, or pulling updates, it can sit behind everything. 

Help the community! Add tags and mark solutions please.

@LAYER_8 

I am trying to allow a printer on our network scan to a file server folder on an external network, which is easy I can create a nat rule that allows this with no problem. The issue is that a print server on that same remote server has a nat rule to allow a application from their remote network to print the same printer on our local network.. This all occurs across a IPSec tunnel on the PA and the source and destination are natted IP's. Its a direction issue the scan to network goes from trust to VPN and the print server to internal printer goes the other way VPN to untrust. One printer tow functions only works with two nat rules and it not on schedule this solution needs to be applied to over 50 different printers

Cyber Elite
Cyber Elite

@jdprovine,

You can have a device with multiple NAT rules without any issue, but the traffic will match the first matching NAT rulebase entry. In the example that you have given that wouldn't be an issue, and there's really no cons for configuration something like that. 

@BPry 

So if they try to do both the printing from the application and the scan to print at the same time they will both work? 

@BPry 

Okay I went ahead and created the second nat rule and everything seems to be working just fine. The only thing I am considering if there is a benefit to creating a separate security rule since it is already using one that is on the firewall

@jdprovine,

If it's working under an existing security rule then whether or not you create a separate one for it is really just an administration decision. Personally I like to keep my rulebase as detailed as possible so I know exactly what the rule is supposed to be allowing, but I know others prefer to keep a cleaner rulebase that isn't as detailed. 

@BPry So what is your opinion about using a bidirectional nat on the application to print rule to allow access for the scan to the file folder which I guess I would have to add the file server too. I don't like it but my boss asked me to look at it so their aren't so many rules that need to be added

What are the pros and cons of using a bidirectional nat and combining these two rules, won't it keep the the application to printer  when the scan to network folder is being used?  Is a bidirectional nat rule less secure?  The scan to network would then have access to servers it doesn't even scan too as well as the app to printer would have access to a file server it never uses. Anyway looking for the best way to do these two function both in security, number or rules needed.

Cyber Elite
Cyber Elite

@jdprovine,

I'd be hesitant to really give an opinion on that without knowing more about how the NAT entry is actually configured. Keeping in mind that bi-directional NATs effectively create the same NAT statement in reverse from the firewalls aspect, that checkbox can create security issues if not properly configured. 

  • 4087 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!