07-11-2017 04:26 PM
I only get a dynamic public IP from the ISP on the outside interface of the PAN box. I'd like to configure Destination NAT to use the single public IP for number of servers running inside network on different ports. I've followed the documentation online to configure Destination IP and Port Translation. I received the following error when trying to commit the change.
Error: nat rule 'SERVER1_DNAT': Mismatch of destination address translation range between original address and translated address
Error: Failed to parse nat policy
The only differece my configure compared with the example in the document is that I don't have extra public IPs to use. I could only use the the public got from the ISP on the interface. How do I work around it?
07-12-2017 12:04 PM
Thank you all for your help. I've spoken to a Palo tech support. As of right now, by design PAN-OS cannot use an interface IP as desitnation NAT IP. The only workaround is using DDNS with FQDN. There was a feature request #2592 specifically to address this issue but it has been open for over two years. I came from Cisco world and the ASA can do it easily. I hope Palo would consider implemeting in the next PAN-OS release.
07-11-2017 04:37 PM - edited 07-11-2017 04:40 PM
Hi,
l think you have to configure a destination address explicitly (or FQDN with DDNS) for this to work. Also some useful info here:
07-11-2017 04:45 PM - edited 07-11-2017 04:46 PM
I've seen some posts recommended FQDN with DDNS. How does it work inside the box? It makes real-time DNS resolution against the FQDN every time the NAT rule is evaluated? What if the DDNS isn't updated promply after my public IP changed? There gotta be a way to tell PAN-OS to use the interface IP instead of having to hard code one with Object.
07-11-2017 11:54 PM - edited 07-11-2017 11:54 PM
Hi,
DDNS (most of the time) attempting to upgrade/check the IP address for your FQDN every 5 minutes. I don't believe your address will be changing with quicker frequency from your ISP. With your current configuration if hosts on the internet want to talk to your internal server, how do they know which ip (FQDN) to use? l personally use changeip.com as for my DDNS provider. You can set up an agent inside your network (you can utilise any static server for it), so it will constantly going to check your palo external ip address and keep DNS record updated when ip will be changing. You then can create FQDN object on palo (default refresh time is 30 min, but you can reduce it to 10) and use it as the destination address in your nat/security policies. FQDN gets refresh every 30-10 minutes regardless if you do use this object or not (it is static refresh time/job by palo).
07-12-2017 07:13 AM
To add to what @TranceforLife already pointed out the frequency of which the ISP refreshes your public IP should be few and far between unless you actively shutdown the Palo Alto or the modem that feeds your connection. The vast majority of ISPs will not just randomly release your IP address and push out a new one.
ISPs run DHCP exactly how most large networks do; if the device is still present and is sending renewal requests it will keep getting handed the same IP. Now if the ISP gear goes down or it loses connection for any reason then you will likely get a new IP address and won't get handed the same one as the DHCP release times at an ISP level are generally pretty short. So if your device doesn't send a renewal request in 15 minutes as an example, then you will pull a different public IP; but as long as the gear is up and sending renewal requests then you will likely hold the same public IP. Again this isn't all ISPs but if they change your IPs they also drop all of your existing sessions, in the world of video streaming ISPs have moved away from constant release/renewal operations because it gives off a bad customer experaince when your video streaming stops because they released your public IP.
07-12-2017 12:04 PM
Thank you all for your help. I've spoken to a Palo tech support. As of right now, by design PAN-OS cannot use an interface IP as desitnation NAT IP. The only workaround is using DDNS with FQDN. There was a feature request #2592 specifically to address this issue but it has been open for over two years. I came from Cisco world and the ASA can do it easily. I hope Palo would consider implemeting in the next PAN-OS release.
07-12-2017 12:39 PM - edited 07-12-2017 12:48 PM
Hi @jack.wang1,
I think it can if you will explicitly specify it. In your NAT policy, you didn't specify any destination ip or any FQDN. Hosts from the internet don't know which ip or FQDN to use in order to reach your internal server. You need to type something in your web browser URL bar 😄 You can test it specifying DHCP assigned ip address and l am sure it will work.
07-12-2017 01:00 PM
Hi @TranceforLife,
I didn't want to hard code a DHCP IP in my NAT configuration since it can change over time. Management and troubleshooting will be a nightmare. I believe what's missing in the 8.0.x PAN-OS is allowing to use "interface IP" in the NAT configuraiton. I hate to bring up Cisco in Palo forums but this is how NAT is configured on a Cisco ASA using interface IP.
static (dmz,outside) tcp interface 8080 192.168.1.10 www netmask 255.255.255.255
It says " anybody coming in from the Internet hitting the firewall outside interface IP over TCP 8080, NAT to DMZ server's real IP 192.168.1.10 on port 80.", regardless what IP the outside interface has. It is the users' responsibility to know the IP, DDNS can be leveraged of course.
07-12-2017 01:27 PM - edited 07-12-2017 01:31 PM
Hi @jack.wang1,
My understanding is if you have DHCP IP address assigned, the only one way you can properly utilise dynamic ip is by using FQDN (DDNS) (does not matter with vendor you are using :D). If initial connection is initiated from outside then you have to know your interface ip address (destination ip). You do not want to tell your clients "Guess what is my ip address" 😄
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
