08-25-2023 06:38 AM
Hi All.
I'm running into a bit of difficulty for setting up a DNAT configuration on my PA-820. Essentially what I want to do is remotely access an iMac workstation from outside the LAN. However, I don't want to advertise port 5900 I want to setup port translation from 2485 to 5900 to a particular host on the LAN.
I've created a DNAT rule as follows;
Original Packet;
Src Zone: Internet-Untrust
Dst Zone: Internet-Untrust
Dst Interface: Ethernet 1/7 (Interface with internet connection)
Service: Inbound VNC on port 2485 (a service I created)
Src Address: Any
Dst Address: Public IP of the the interface Ethernet 1/7 above
Translated Packet;
Translation type: Static IP
Translation Address: Address of internal PC that requires remote access
Translated Port: 5900 (VNC)
I then created a security policy rule as follows;
Src Zone: Internet-Untrust
Src Address: Any
Src User: Any
Src Device: Any
Dst Zone: Internal-Trust
Dst Address: Address of internal host require remote access
Application: Any
Service / URL Category: Inbound VNC on port 2485 (custom created service)
I've essentially been looking to do whats oulined in the below tutorial but the inverse
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW
I am unable to connect from an external device, using port 2485 for remote access. When I make remote access attempts from I am unable to connect to the host. I see hits on the security rule and when I look at the monitor selecting the iMac I want to access as the dst address, I can see the external source, the correct destination IP, port 2485, Application says incomplete, action is allow, and the reson for the session end is - tcp-rst-from-server. I'm seeing hits on the security rule but nothing on the NAT rule.
Any input would be much appreciated
08-26-2023 11:23 AM
Hi @KGH0511 ,
I am glad that we got it working on the Zoom call. In hindsight, I think the culprit was the VNC service object was incorrect. That is used in the NAT rule. Once we fixed it, then the NAT started working fine. You should be able to remove tcp/2485 from the security policy rule now.
Thanks,
Tom
08-25-2023 12:24 PM
Hi @KGH0511 ,
It is strange that you are getting hits on your security policy rule. The destination IP address should be the public IP address (pre-NAT). The service should be 5900 (post-NAT). Please see this doc. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/...
You could also try changing the destination interface to any in your NAT rule.
Thanks,
Tom
08-26-2023 07:53 AM
Hi Tom,
I've seen that document and have followed it exactly, and the NATing doesn't work.
Yes, I agree it is strange that it's hitting the security rule but not the DNAT rule.
I've made some changes and I'm now hitting the DNAT rule, but not the security rule.
The DNAT Rule is;
Original Packet;
Src Zone: Internet-Untrust
Dst Zone: Internet-Untrust
Dst Interface: Ethernet 1/7 (Interface with internet connection)
Service: Inbound VNC on port 2485 (a service I created)
Src Address: Any
Dst Address: Public IP of the the interface Ethernet 1/7 above
Translated Packet;
Translation type: Static IP
Translation Address: Address of internal PC that requires remote access
Translated Port: 5900 (VNC)
Security Policy Rule is -
Src Zone: Internet-Untrust
Src Address: Any
Src User: Any
Src Device: Any
Dst Zone: Internal-Trust
Dst Address: Address of internal host requiring remote access
Application: VNC
Service / URL Category: Application Default
I can see I'm getting hits on the NAT rule now and no hits on the security rule, no traffic appears under the traffic monitor.
08-26-2023 08:01 AM
Hi @KGH0511 ,
Good! This is progress. As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule. Please try making that change and let me know if it works.
With regard to no traffic logs, did you enable logging for the interzone-default rule? You will need to use the Override button.
Thanks,
Tom
08-26-2023 08:34 AM
As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule. Please try making that change and let me know if it works.
Thanks for the rapid reply. I entered the public IP from the NAT rule into the destination address in the security policy rule and no change. Still getting hits on the NAT rule, nothing on the security rule and the below info on the monitor when I filter for the dst address i.e. the PC that I want to remotely access.
From Zone - Internet Untrust
To Zone - Internal Trust
Source - Source IP address of remote location that I'm testing from - which is correct.
Destination - IP address of PC on the LAN that I want to remotely control correct IP.
To Port - 2485 (Should be port 5900 after the port translation has been applied)
Application - Not applicable
Source Country - Switzerland
Action - Deny
Rule - Interzone-default
Session end Reason - Policy deny.
It would seem that the security rule is not even being hit. This happened after I entered the IP address of my public facing interface into the destination filed in the security policy.
08-26-2023 11:23 AM
Hi @KGH0511 ,
I am glad that we got it working on the Zoom call. In hindsight, I think the culprit was the VNC service object was incorrect. That is used in the NAT rule. Once we fixed it, then the NAT started working fine. You should be able to remove tcp/2485 from the security policy rule now.
Thanks,
Tom
08-26-2023 11:24 PM - edited 08-27-2023 03:11 AM
Hi Tom,
Thanks for your time and your valuable input.
Yes, I agree most likely the VNC service object wasn't correct. Oddly enough when I remove the tcp/2485 from the security policy the rule doesn't work and the remote host is not accessible. If I remove 5900 and leave 2485 it works. It's almost the inverse of what one would expect it to be.
08-27-2023 11:13 AM
Hi @KGH0511 ,
Thank you for the feedback. That is the opposite of what I saw in the documentation, also. It does make sense the a NAT lookup is done on ingress, but the NAT is applied on egress. The NAT lookup is why the destination zone in the security policy rule is toward the server.
Have a great day!
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
