configuration of the NAT rules to DMZ zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

configuration of the NAT rules to DMZ zone

L2 Linker

Hello, 

In our office we have two servers in a DMZ zone (10.10.10.3 and 10.10.10.4). In the PA-500 I created a DMZ zone that's related to a vlan in the switch . This switch i related to the serves (10.10.10.3 and 10.10.10.4). 

The servers are in DMZ zone so I configure the NAT rules with static NAT and I open the necessary ports. But without any results. I think that I shoudn't configure a destinaion NAT in this cas becous the servers ar in DMZ zone and ot in a LAN zone.

You wil find in the attchment the screenshot about the existing configuration of PAN.

 

I will be appreciated for all helps ! 

NAT-cisco.JPG

Thank you very much 🙂

13 REPLIES 13

Cyber Elite
Cyber Elite

Move first rule to bottom.

Are other rules bi-directional?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Also try to get one rule working first.

You try to map multiple ports to single port (all wan side ports are 25 but internal ones are diferent).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Without more of the rulesset, I would assume you probably need a U-Turn rule.

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965

 

This will allow the traffic to get to the proper server. It's a NAT and a Security Policy combo.

 

Hope this helps.

L7 Applicator

You cannot map the same ip/port (25) to three different internal ip/port combinations.

 

Static NAT is  a one-to-one bidirectional NAT so there can only be one external ip/port to one internal ip/port.

 

What is the situation here, are you looking for inbound NAT rules to expose multiple DMZ servers for SMTP?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello,

 

I'm sorry i do a mistake when i wrote the table of the NAT rules. You will find in the attachement the right screen shot . The static NAT that i used is a bidirectional NAT. I add also a security rules to access to the email server (10.10.10.2) . The problem that i can send an email but i can't receive any email. I think that i do a mistake in the security rules. Could you please help me to determinate the mistake in my configuration.

Thank you very much for all helps

NAT-rules.PNG

security-rules.PNG

Your WAN to DMZ security policy should read:

 

srcZN:WAN srcADR:any dstZN:DMZ dstADR:193.200.1.25

 

 

for a security policy the IP addressing are preNAT, zones are postNAT

 

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you very moch @reaper . It work fine now after this modification 🙂 

 

Thank you for all helps 

I found a problem with the 443 port . I add a NAT rule like shooing in the screen shoot to the 443 port and i add a security rules from outside to dmz ( with public ip address and the port443)

 

But without any result this port still always closed 

 

Thanks for all helps

the NAT for port 25 is going to 10.10.10.2 while 443 is going to 10.10.10.3, did you make sure port 443 is accessible on that server and the nat/security rules are identical except for the ports and the server ip?

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

The port 443 is open in the server 10.10.10.3 and i do the same security rules but always thsi port is used by the PAN , should i change the default management port of the PAN like presented in this article https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Por... ??

Yes ,the port  443 is open in the server 10.10.10.3 and I do the same configuration that i did it to open the 25 port in the server 10.10.10.2. when i activate the https on the outside port . This port is change to open but to the interface of the configuration of the PAN. 

Should i change the default ports used by the PAN like show this article ??

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Por...

 

 

if you have a management profile configured on the interface with ssl enabled, you would be redirected to the GUI, but if there's no management profile or ssl has not been enabled you don't need to implement that article.

 

are you seeing anything in the logs?

you should be able to figure out what is going on by trying this cli command:

 

> show session all filter destination 193.200.1.25 destination-port 443

 

and then get the full view for the session

 

> show session id <id>

 

this will show you if NAT is being applied properly and which security/nat rules you are hitting:

 

 

Session              23

        c2s flow:
                source:      10.10.10.15 [trust]
                dst:         198.51.100.2
                proto:       17
                sport:       35040           dport:      22
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown


        s2c flow:
                source:      198.51.100.2[untrust]
                dst:         198.51.100.22
                proto:       17
                sport:       22            dport:      35040
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

       start time                           : Tue Oct 20 13:49:57 2015
        timeout                              : 3600 sec
        time to live                         : 3592 sec 
        total byte count(c2s)                : 13026788
        total byte count(s2c)                : 12878618
        layer7 packet count(c2s)             : 84918
        layer7 packet count(s2c)             : 84943
        vsys                                 : vsys1
        application                          : ssh  
        rule                                 : securityrule_1
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        address/port translation             : source
        nat-rule                             : nat_rule(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : any
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/2
        egress interface                     : ethernet1/1
        session QoS rule                     : N/A (class 4)
        end-reason                           : unknown

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

It's OK @reaper , it's a problem with the access list thank you very much 🙂

  • 5766 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!