Conditional NAT (Nat source when destination is A but do not Nat the source if detination is B'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional NAT (Nat source when destination is A but do not Nat the source if detination is B'

L2 Linker

HI Guys

 

This is very urgent! Wondering I can get a response quickly.

 

I have several VPN clients accessing 2 servers in DMZ. The server A has evolved and migrated to a new server which now resides in the Inside of the Firewall instead of DMZ and I need to do the destination NAT.

 

I need to do destination NAT but if I NAt the source, the same source is accessing server B which will be an issue.

 

Question- Can there be a conditional NAT that only NAT the source if source X targets server A ( source and destination NAT) but NO NAT be performed if the same source X targets Server B?is that possible (considering there are multiple sources and it will be Many to one).

 

Thank you in Advance!

 

Regards,

1 accepted solution

Accepted Solutions

Hi @R_Sharma,

 

You said

"concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source, won't it?? The risk of outage matters a lot to production."

 

No, the source NAT rule for the traffic to server B will not affect the traffic to serve A. It really doesn't matter that same sources are trying to reach A or B.

 

The key point here is the destination.

- Think of the NAT rules as traffic rules - you are configuring match critires (source, destination, port) and then action for the matched traffic.

- PA NAT rules by their nature are conditional, because you have to specify the source zone, IP, deistiona zone, IP and port for the traffic that you want to NAT. Then you are specifiing the action - source or destination NAT (or both) for the traffic that matched

 

So if you create NAT rule that specify NATed_server_B address as destionation address for your matching critires only, this rule will not match any traffic to server A (or NATed_server_A).

 

Check again the config from my previous post.

View solution in original post

5 REPLIES 5

Hi @R_Sharma,

 

If I understand your request (it is bit confusing because in the subject you are talking about source NAT, but then you say you need destination and at the end you actually need twice nat 🙂 ) you just need to specify the original source and destination in your NAT rule. Something like that:

 

    "VPN-to-Server-A" {
      to Inside-zone;
      from VPN-zone;
      source Network_X;
      destination NATed_Server-A;
      destination-translation {
        translated-address Server-A;
      }
	  source-translation {
		dynamic-ip-and-port {
          translated-address NATed_Network_X;
        }
      }
      service any;
    }

You shouldn't need to specify NO-NAT rule for server B, because the above rule will only match traffic destine to Server A (or NATed Server A) address. However if you will feel more confortable you can configure separate NAT rule above the rule for server A.

Specificy again source and destination and leave the translated source and translated destination as None:

    "VPN-to-Server-B" {
      to DMZ-zone;
      from VPN-zone;
      source Network_X;
      destination Server-B;     
      service any;
    }

You can put this rule closer to the top to be sure that it will match first in any case.

 

Hi @aleksandar.astardzhiev 

 

Sorry for confusion-

Current scenario is- two servers in DMZ zone, lets say A and B. Multiple external sources (VPN) from Outside access both A & B on NATed IP.

 

Server B has evolved to lets say C and now lies in inside zone.

 

why need for destination NAT- You are right, I didn;t explain it well. I meant this is already NATed and i would need to change the current internal IP B to C.so destination would remain the same (the same NATed IP the clients targets).

 

WHy need for Source NAT- The external sources are all public IPs which are not permitted inside the network and there is no default route from inside the network and would be ugly to add so many static routes for return traffic. It appears the best is to NAT source (1, 2, 3, 4......) to one Private IP. so the need of source NAT.

 

concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source,  won't it?? The risk of outage matters a lot to production.

 

so hence I am looking for if source (1, 2, 3....) targets server A in DMZ, then No Source NAT and if source 1,2,3...4 targets server B in inside, then NAT source.

 

Regards,

Hi @R_Sharma,

 

You said

"concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source, won't it?? The risk of outage matters a lot to production."

 

No, the source NAT rule for the traffic to server B will not affect the traffic to serve A. It really doesn't matter that same sources are trying to reach A or B.

 

The key point here is the destination.

- Think of the NAT rules as traffic rules - you are configuring match critires (source, destination, port) and then action for the matched traffic.

- PA NAT rules by their nature are conditional, because you have to specify the source zone, IP, deistiona zone, IP and port for the traffic that you want to NAT. Then you are specifiing the action - source or destination NAT (or both) for the traffic that matched

 

So if you create NAT rule that specify NATed_server_B address as destionation address for your matching critires only, this rule will not match any traffic to server A (or NATed_server_A).

 

Check again the config from my previous post.

Quick question.  Are you sure you even need NAT?  We are talking about VPN and routes directly connected the PAN correct?  If the PAN has the routes you need, I'm guessing NAT isn't even necessary.  I see this a lot where people believe they need NAT only because that's the way they've always done it.

Hi @aleksandar.astardzhiev 

thank you very much for your help. 

 

Regards

  • 1 accepted solution
  • 6103 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!