- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-29-2021 09:12 AM
What are you trying to accomplish?
I use 2 NAT rules for the same device via schedules. Off work hours, depending on the console I want to use I change the rules for which console gets 1:1 public IP mapping.
During work hours when the console is sleeping, or pulling updates, it can sit behind everything.
09-29-2021 09:19 AM - edited 09-29-2021 09:27 AM
I am trying to allow a printer on our network scan to a file server folder on an external network, which is easy I can create a nat rule that allows this with no problem. The issue is that a print server on that same remote server has a nat rule to allow a application from their remote network to print the same printer on our local network.. This all occurs across a IPSec tunnel on the PA and the source and destination are natted IP's. Its a direction issue the scan to network goes from trust to VPN and the print server to internal printer goes the other way VPN to untrust. One printer tow functions only works with two nat rules and it not on schedule this solution needs to be applied to over 50 different printers
09-29-2021 07:43 PM
You can have a device with multiple NAT rules without any issue, but the traffic will match the first matching NAT rulebase entry. In the example that you have given that wouldn't be an issue, and there's really no cons for configuration something like that.
09-30-2021 06:00 AM
So if they try to do both the printing from the application and the scan to print at the same time they will both work?
09-30-2021 12:20 PM
Okay I went ahead and created the second nat rule and everything seems to be working just fine. The only thing I am considering if there is a benefit to creating a separate security rule since it is already using one that is on the firewall
09-30-2021 06:56 PM
If it's working under an existing security rule then whether or not you create a separate one for it is really just an administration decision. Personally I like to keep my rulebase as detailed as possible so I know exactly what the rule is supposed to be allowing, but I know others prefer to keep a cleaner rulebase that isn't as detailed.
10-04-2021 05:57 AM - edited 10-04-2021 12:38 PM
@BPry So what is your opinion about using a bidirectional nat on the application to print rule to allow access for the scan to the file folder which I guess I would have to add the file server too. I don't like it but my boss asked me to look at it so their aren't so many rules that need to be added
What are the pros and cons of using a bidirectional nat and combining these two rules, won't it keep the the application to printer when the scan to network folder is being used? Is a bidirectional nat rule less secure? The scan to network would then have access to servers it doesn't even scan too as well as the app to printer would have access to a file server it never uses. Anyway looking for the best way to do these two function both in security, number or rules needed.
10-04-2021 07:05 PM
I'd be hesitant to really give an opinion on that without knowing more about how the NAT entry is actually configured. Keeping in mind that bi-directional NATs effectively create the same NAT statement in reverse from the firewalls aspect, that checkbox can create security issues if not properly configured.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!