07-21-2019 11:10 PM
HI Guys
This is very urgent! Wondering I can get a response quickly.
I have several VPN clients accessing 2 servers in DMZ. The server A has evolved and migrated to a new server which now resides in the Inside of the Firewall instead of DMZ and I need to do the destination NAT.
I need to do destination NAT but if I NAt the source, the same source is accessing server B which will be an issue.
Question- Can there be a conditional NAT that only NAT the source if source X targets server A ( source and destination NAT) but NO NAT be performed if the same source X targets Server B?is that possible (considering there are multiple sources and it will be Many to one).
Thank you in Advance!
Regards,
07-23-2019 01:00 AM
Hi @R_Sharma,
You said
"concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source, won't it?? The risk of outage matters a lot to production."
No, the source NAT rule for the traffic to server B will not affect the traffic to serve A. It really doesn't matter that same sources are trying to reach A or B.
The key point here is the destination.
- Think of the NAT rules as traffic rules - you are configuring match critires (source, destination, port) and then action for the matched traffic.
- PA NAT rules by their nature are conditional, because you have to specify the source zone, IP, deistiona zone, IP and port for the traffic that you want to NAT. Then you are specifiing the action - source or destination NAT (or both) for the traffic that matched
So if you create NAT rule that specify NATed_server_B address as destionation address for your matching critires only, this rule will not match any traffic to server A (or NATed_server_A).
Check again the config from my previous post.
07-22-2019 12:29 AM - edited 07-22-2019 12:31 AM
Hi @R_Sharma,
If I understand your request (it is bit confusing because in the subject you are talking about source NAT, but then you say you need destination and at the end you actually need twice nat 🙂 ) you just need to specify the original source and destination in your NAT rule. Something like that:
"VPN-to-Server-A" {
to Inside-zone;
from VPN-zone;
source Network_X;
destination NATed_Server-A;
destination-translation {
translated-address Server-A;
}
source-translation {
dynamic-ip-and-port {
translated-address NATed_Network_X;
}
}
service any;
}You shouldn't need to specify NO-NAT rule for server B, because the above rule will only match traffic destine to Server A (or NATed Server A) address. However if you will feel more confortable you can configure separate NAT rule above the rule for server A.
Specificy again source and destination and leave the translated source and translated destination as None:
"VPN-to-Server-B" {
to DMZ-zone;
from VPN-zone;
source Network_X;
destination Server-B;
service any;
}You can put this rule closer to the top to be sure that it will match first in any case.
07-22-2019 04:02 AM
Sorry for confusion-
Current scenario is- two servers in DMZ zone, lets say A and B. Multiple external sources (VPN) from Outside access both A & B on NATed IP.
Server B has evolved to lets say C and now lies in inside zone.
why need for destination NAT- You are right, I didn;t explain it well. I meant this is already NATed and i would need to change the current internal IP B to C.so destination would remain the same (the same NATed IP the clients targets).
WHy need for Source NAT- The external sources are all public IPs which are not permitted inside the network and there is no default route from inside the network and would be ugly to add so many static routes for return traffic. It appears the best is to NAT source (1, 2, 3, 4......) to one Private IP. so the need of source NAT.
concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source, won't it?? The risk of outage matters a lot to production.
so hence I am looking for if source (1, 2, 3....) targets server A in DMZ, then No Source NAT and if source 1,2,3...4 targets server B in inside, then NAT source.
Regards,
07-23-2019 01:00 AM
Hi @R_Sharma,
You said
"concern- If multiple sources will be NATted on Palo Alto, the same sources still have the need to access server A which is in DMZ which will impact the access if we NAT the source, won't it?? The risk of outage matters a lot to production."
No, the source NAT rule for the traffic to server B will not affect the traffic to serve A. It really doesn't matter that same sources are trying to reach A or B.
The key point here is the destination.
- Think of the NAT rules as traffic rules - you are configuring match critires (source, destination, port) and then action for the matched traffic.
- PA NAT rules by their nature are conditional, because you have to specify the source zone, IP, deistiona zone, IP and port for the traffic that you want to NAT. Then you are specifiing the action - source or destination NAT (or both) for the traffic that matched
So if you create NAT rule that specify NATed_server_B address as destionation address for your matching critires only, this rule will not match any traffic to server A (or NATed_server_A).
Check again the config from my previous post.
07-23-2019 10:50 AM
Quick question. Are you sure you even need NAT? We are talking about VPN and routes directly connected the PAN correct? If the PAN has the routes you need, I'm guessing NAT isn't even necessary. I see this a lot where people believe they need NAT only because that's the way they've always done it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
