- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-20-2015 02:22 PM
Hello,
In our office we have two servers in a DMZ zone (10.10.10.3 and 10.10.10.4). In the PA-500 I created a DMZ zone that's related to a vlan in the switch . This switch i related to the serves (10.10.10.3 and 10.10.10.4).
The servers are in DMZ zone so I configure the NAT rules with static NAT and I open the necessary ports. But without any results. I think that I shoudn't configure a destinaion NAT in this cas becous the servers ar in DMZ zone and ot in a LAN zone.
You wil find in the attchment the screenshot about the existing configuration of PAN.
I will be appreciated for all helps !
Thank you very much 🙂
10-20-2015 02:57 PM
Move first rule to bottom.
Are other rules bi-directional?
10-20-2015 03:01 PM
Also try to get one rule working first.
You try to map multiple ports to single port (all wan side ports are 25 but internal ones are diferent).
10-20-2015 03:57 PM
Without more of the rulesset, I would assume you probably need a U-Turn rule.
https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965
This will allow the traffic to get to the proper server. It's a NAT and a Security Policy combo.
Hope this helps.
10-21-2015 03:32 AM
You cannot map the same ip/port (25) to three different internal ip/port combinations.
Static NAT is a one-to-one bidirectional NAT so there can only be one external ip/port to one internal ip/port.
What is the situation here, are you looking for inbound NAT rules to expose multiple DMZ servers for SMTP?
10-22-2015 04:34 AM
Hello,
I'm sorry i do a mistake when i wrote the table of the NAT rules. You will find in the attachement the right screen shot . The static NAT that i used is a bidirectional NAT. I add also a security rules to access to the email server (10.10.10.2) . The problem that i can send an email but i can't receive any email. I think that i do a mistake in the security rules. Could you please help me to determinate the mistake in my configuration.
Thank you very much for all helps
10-22-2015 04:48 AM
Your WAN to DMZ security policy should read:
srcZN:WAN srcADR:any dstZN:DMZ dstADR:193.200.1.25
for a security policy the IP addressing are preNAT, zones are postNAT
regards
Tom
10-23-2015 05:55 AM
I found a problem with the 443 port . I add a NAT rule like shooing in the screen shoot to the 443 port and i add a security rules from outside to dmz ( with public ip address and the port443)
But without any result this port still always closed
Thanks for all helps
10-23-2015 06:17 AM
the NAT for port 25 is going to 10.10.10.2 while 443 is going to 10.10.10.3, did you make sure port 443 is accessible on that server and the nat/security rules are identical except for the ports and the server ip?
regards
Tom
10-23-2015 06:33 AM
The port 443 is open in the server 10.10.10.3 and i do the same security rules but always thsi port is used by the PAN , should i change the default management port of the PAN like presented in this article https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Por... ??
10-23-2015 06:43 AM
Yes ,the port 443 is open in the server 10.10.10.3 and I do the same configuration that i did it to open the 25 port in the server 10.10.10.2. when i activate the https on the outside port . This port is change to open but to the interface of the configuration of the PAN.
Should i change the default ports used by the PAN like show this article ??
10-23-2015 06:57 AM
if you have a management profile configured on the interface with ssl enabled, you would be redirected to the GUI, but if there's no management profile or ssl has not been enabled you don't need to implement that article.
are you seeing anything in the logs?
you should be able to figure out what is going on by trying this cli command:
> show session all filter destination 193.200.1.25 destination-port 443
and then get the full view for the session
> show session id <id>
this will show you if NAT is being applied properly and which security/nat rules you are hitting:
Session 23 c2s flow: source: 10.10.10.15 [trust] dst: 198.51.100.2 proto: 17 sport: 35040 dport: 22 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 198.51.100.2[untrust] dst: 198.51.100.22 proto: 17 sport: 22 dport: 35040 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Tue Oct 20 13:49:57 2015 timeout : 3600 sec time to live : 3592 sec total byte count(c2s) : 13026788 total byte count(s2c) : 12878618 layer7 packet count(c2s) : 84918 layer7 packet count(s2c) : 84943 vsys : vsys1 application : ssh rule : securityrule_1 session to be logged at end : True session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : nat_rule(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) end-reason : unknown
10-23-2015 07:48 AM
It's OK @reaper , it's a problem with the access list thank you very much 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!