Configuring DNAT on PA-820

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configuring DNAT on PA-820

L1 Bithead

Hi All.

I'm running into a bit of difficulty for setting up a DNAT configuration on my PA-820. Essentially what I want to do is remotely access an iMac workstation from outside the LAN. However, I don't want to advertise port 5900 I want to setup port translation from 2485 to 5900 to a particular host on the LAN.

 

I've created a DNAT rule as follows;

 

Original Packet;

Src Zone: Internet-Untrust

Dst Zone: Internet-Untrust

Dst Interface: Ethernet 1/7 (Interface with internet connection)

Service: Inbound VNC on port 2485 (a service I created)

Src Address: Any

Dst Address: Public IP of the the interface Ethernet 1/7 above

 

Translated Packet;

Translation type: Static IP

Translation Address: Address of internal PC that requires remote access

Translated Port: 5900 (VNC)

 

I then created a security policy rule as follows;

 

Src Zone: Internet-Untrust

Src Address: Any

Src User: Any

Src Device: Any

Dst Zone: Internal-Trust

Dst Address: Address of internal host require remote access

Application: Any

Service / URL Category: Inbound VNC on port 2485 (custom created service)

 

I've essentially been looking to do whats oulined in the below tutorial but the inverse

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW

 

I am unable to connect from an external device, using port 2485 for remote access. When I make remote access attempts from I am unable to connect to the host. I see hits on the security rule and when I look at the monitor selecting the iMac I want to access as the dst address, I can see the external source, the correct destination IP, port 2485, Application says incomplete, action is allow, and the reson for the session end is - tcp-rst-from-server. I'm seeing hits on the security rule but nothing on the NAT rule.

 

Any input would be much appreciated

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @KGH0511 ,

 

I am glad that we got it working on the Zoom call.  In hindsight, I think the culprit was the VNC service object was incorrect.  That is used in the NAT rule.  Once we fixed it, then the NAT started working fine.  You should be able to remove tcp/2485 from the security policy rule now.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Hi @KGH0511 ,

 

It is strange that you are getting hits on your security policy rule.  The destination IP address should be the public IP address (pre-NAT).  The service should be 5900 (post-NAT).  Please see this doc.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/...

 

You could also try changing the destination interface to any in your NAT rule.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

I've seen that document and have followed it exactly, and the NATing doesn't work.

Yes, I agree it is strange that it's hitting the security rule but not the DNAT rule.

 

I've made some changes and I'm now hitting the DNAT rule, but not the security rule.

 

The DNAT Rule is;

 

Original Packet;

Src Zone: Internet-Untrust

Dst Zone: Internet-Untrust

Dst Interface: Ethernet 1/7 (Interface with internet connection)

Service: Inbound VNC on port 2485 (a service I created)

Src Address: Any

Dst Address: Public IP of the the interface Ethernet 1/7 above

 

Translated Packet;

Translation type: Static IP

Translation Address: Address of internal PC that requires remote access

Translated Port: 5900 (VNC)

 

Security Policy Rule is -

 

Src Zone: Internet-Untrust

Src Address: Any

Src User: Any

Src Device: Any

Dst Zone: Internal-Trust

Dst Address: Address of internal host requiring remote access

Application: VNC

Service / URL Category: Application Default

 

I can see I'm getting hits on the NAT rule now and no hits on the security rule, no traffic appears under the traffic monitor.

Cyber Elite
Cyber Elite

Hi @KGH0511 ,

 

Good!  This is progress.  As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule.  Please try making that change and let me know if it works.

 

With regard to no traffic logs, did you enable logging for the interzone-default rule?  You will need to use the Override button.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule. Please try making that change and let me know if it works. 

 

Thanks for the rapid reply. I entered the public IP from the NAT rule into the destination address in the security policy rule and no change. Still getting hits on the NAT rule, nothing on the security rule and the below info on the monitor when I filter for the dst address i.e. the PC that I want to remotely access.

 

From Zone - Internet Untrust

To Zone - Internal Trust

Source - Source IP address of remote location that I'm testing from - which is correct.

Destination - IP address of PC on the LAN that I want to remotely control correct IP.

To Port - 2485 (Should be port 5900 after the port translation has been applied)

Application - Not applicable

Source Country - Switzerland

Action - Deny

Rule - Interzone-default

Session end Reason - Policy deny.

 

It would seem that the security rule is not even being hit. This happened after I entered the IP address of my public facing interface into the destination filed in the security policy.

L1 Bithead

NAT Rule.png

Security Rule.png

  

Cyber Elite
Cyber Elite

Hi @KGH0511 ,

 

I am glad that we got it working on the Zoom call.  In hindsight, I think the culprit was the VNC service object was incorrect.  That is used in the NAT rule.  Once we fixed it, then the NAT started working fine.  You should be able to remove tcp/2485 from the security policy rule now.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi Tom,

 

Thanks for your time and your valuable input.

Yes, I agree most likely the VNC service object wasn't correct. Oddly enough when I remove the tcp/2485 from the security policy the rule doesn't work and the remote host is not accessible. If I remove 5900 and leave 2485 it works. It's almost the inverse of what one would expect it to be.

Cyber Elite
Cyber Elite

Hi @KGH0511 ,

 

Thank you for the feedback.  That is the opposite of what I saw in the documentation, also.  It does make sense the a NAT lookup is done on ingress, but the NAT is applied on egress.  The NAT lookup is why the destination zone in the security policy rule is toward the server.

 

Have a great day!

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2244 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!