Can't get NAT/Security rule to work with multiple ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't get NAT/Security rule to work with multiple ports

PA220 on PANOS 10.1.10-h5

Have an NVR that needs 6x ports accessible from the outside - 3 TCP and 3 UDP. I set up 6x new services and then put them into a service group called NVR Services.

Created a security rule 'Allow incoming to NVR' from untrust zone, any address, any user, any source device to the 'Camera' security zone, destination address of the outside static IP address as well as the internal IP address of the NVR. Application any (for now), and the rest just any, wide open. etc.

On the NAT rule

  • Original Packet tab
    • Source zone: Untrust
    • Destination zone: Untrust
    • Destination interface: Any
    • Service: NVR Services
    • Source address: Any
    • Destination address: Public IP
  • Translated Packet tab
    • Source address translation: None
    • Destination address translation
      • Translation type: Static
      • Translation type: Internal IP
      • Translated port: <blank>

On the security rule:

  • Source
    • Zone: Untrust
    • Rest: Any
  • Destination
    • Zone: Cameras
    • Address: Public IP and internal IP
    • Device: Any
  • Application: Any
  • Service/URL: Any

 

I cannot connect when it is set as describe above. It will connect if I change NAT original packet, service to any.

It will also not connect if I leave the NAT service to any and change the security rule to have service/URL category as the 'NVR service group'

I don't know what I am missing so that only the 3x TCP and 3x UDP ports are allowed to this device.

Appreciate any insight on what I might be missing. Thanks!

2 REPLIES 2

Community Team Member

Hi @inSync-MarkValpreda ,

 

Quick question, are the NVR services standard ports? With the translated port being <blank>

It doesn't look like you're forwarding a nonstandard port from the internet through your firewall down to your server located in the Security zone. If thats the case, you could just filter services via the  'Allow incoming to NVR' Security policy and keep your DNAT rule to any services. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

I wound up finding my issue. I had both destination AND source ports defined in my service objects. Once I got rid of the source port, everything started working. Rookie mistake.

  • 896 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!