BI- DIRECTINAL NAT IN PALO ALTO
Go to Policies > NAT > Add
Create a NAT Rule:
Go to Policies > Security > Add
Create a Security Rule:
Commit the changes and test the rule. Also take care of the rule priority and placement of the rules.
Thanks @Aashish74 for this. This can be good for people wanting some basics.
Soon, we may have additional tools like Iron Skillets that can help accomplish things like this.
For anyone who wants to know more about Iron Skillets, please look at these blogs:
Also there is information about Expedition here that will work with Iron Skillet.
Although in general this may work, there are a few points in the workflow that are not quite a best practice and can be misleading.
Bi-directional is generally not recommended as you don’t have full control of the return traffic. Packets will be translated correctly from LAN to WAN, but in the opposite direction, they will match any zone to WAN , which could complicate things if you have multiple zones.
I would always recommend having specific inbound destination NAT rule to your servers and a generic source NAT outbound if your servers need to connect to Internet.
The second point is that you suggest adding a service to the bidirectional NAT rule, which means that the rule will match only this service port for both the inbound and outbound translation. This kind of defeats the purpose of bi-direction, as you presumably want to configure it for outbound internet traffic for your server.
Next, your security rule will match the inbound packets to the server, but not outbound from the server.
Finally it is not a good practice to configure the same multiple zones in source and destination.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!