Basic noobie question.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Basic noobie question.

Not applicable

I am looking to what I would call port address translation, but am unfamiliar with how to do it on the PA. Basically I need a public IP to route SNMP traffic to one inside address, and syslog traffic to another inside address. This will also only apply to a single host from the outside. Can someone give me high level steps to what I need to configure?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi

This doc will come in handy Understanding PAN-OS NAT

In short you'd need two nat rules, both from untrust to untrust with the same destination (public) IP but each with it's own destination port and unique destination NAT ip address (see page 21 of the above document)

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello

You can also find some usefull thing on video turorials Video Link : 1550

Regards

Slawek

L5 Sessionator

You Can configure following  NAT statements for same public IP:

Untrust to Untrust from any source address to your public ip_1 on 25 then translate to private ip_1 to 25

Untrust to Untrust from any source address to your public ip_1 on 443 then translate to private ip_2 to 4443

Untrust to Untrust from any source address to your public ip_1 on 80 then translate to private ip_3 to 8080

Hope this helps. Thank you.

Hello Mcocat,

You can also create a bidirectional NAT rule which looks like this:

nat.png

The source address being the private IP of the server and translated Ip being the public facing IP. This basically splits the NAT rule internally into two- one for outbound and another for inbound. You can refer to above document given by tpiens to understand this better.

Regards,

Dileep

L6 Presenter

Hi Mcocat,

Refer following document that should be enough.

Understanding PAN-OS NAT

Video Link : 1550

NAT Example:

8.8.8.8 - Host on the Internet for which you need NAT to be applicable

1.1.1.1 - Is the Public IP on Untrust

100.1.1.1 - Is the SMTP server on DMZ

SMTP service has TCP port 25 >> Which you need to create

NAT.png

You can repeat the same for other services.

Regars,

Hardik Shah

Not applicable

Wow, thank you all for the help with this. I will review the guides and advice and get this completed. I appreciate all of the help!

  • 3084 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!