01-11-2019 01:06 AM
Hey all,
there is a ssh server in an internal network. I want to access that server from public, but with source port for example 11111. The server listens on normal ssh port 22.
So I would like the firewall to do a port translation from 11111 to 22.
Is that possible?
01-11-2019 01:34 AM
Hey @MPI-AE
Yep this is totally possible. First create a new service for tcp/11111 then create a new NAT rule as follows:
Source Zone: Untrust
Source IP: Any
Destination Zone: Untrust
Destination IP: {Public IP}
Service: New service you created for 11111
Translated packet tab:
Destination Translation:
Static IP: {Private IP}
Translated Port: 22
Of course you will then need a security policy rule to allow the traffic
Source Zone: Untrust
Source IP: Any (Preferable to limit this if you can)
Destination Zone: {Zone that private IP resides in, Trust etc.}
Destination IP: {Public IP}
Application: ssh
Service: application-default
Cheers,
Luke.
01-11-2019 01:34 AM
Hey @MPI-AE
Yep this is totally possible. First create a new service for tcp/11111 then create a new NAT rule as follows:
Source Zone: Untrust
Source IP: Any
Destination Zone: Untrust
Destination IP: {Public IP}
Service: New service you created for 11111
Translated packet tab:
Destination Translation:
Static IP: {Private IP}
Translated Port: 22
Of course you will then need a security policy rule to allow the traffic
Source Zone: Untrust
Source IP: Any (Preferable to limit this if you can)
Destination Zone: {Zone that private IP resides in, Trust etc.}
Destination IP: {Public IP}
Application: ssh
Service: application-default
Cheers,
Luke.
01-11-2019 06:12 AM
Hey Luke,
that works, thank you!
The only thing I had to adjust was the Application in the policy rule: App any and select service tcp 11111.
01-11-2019 01:25 PM
In the Security Policy, you can use application=ssh and service=same service object you used in the NAT policy (11111).
02-14-2020 09:58 AM
All of my rules that are one NAT and one Security for a given access work, but I have a unique rule that does not seem to be working correctly. I have four NAT rules for a given public IP that use different service ports that I created destined for unique IPs with the same port.
Example:
NAT1 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-1234 service, destination translation is IP: 1.1.1.1 on Port: 2222
NAT2 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-4321 service, destination translation is IP: 1.1.1.2 on Port: 2222
NAT3 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-5678 service, destination translation is IP: 1.1.1.3 on Port: 2222
NAT4 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-2222 service, destination translation is IP: 1.1.1.4 on Port: 2222
I have one security rule that includes all four services and ANY app with the public IP and untrust/untrust zones.
Note that the only NAT rule that hits is NAT4 where the ports are the same. None of the others hit and the security rule allows traffic to only the #4 server. When users try to access with the other service ports, they get no response and NAT1-3 are currently labeled as UNUSED.
Am I going to have to divide the security rule up? Or is there something I can do to get it to recognize the different ports when they are attempted?
PAN-OS v9.0.4
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
