Destination NAT Translation doesnt work properly with PA-5050

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination NAT Translation doesnt work properly with PA-5050

L0 Member

Hello Guys,

Destination NAT translation doesn't work properly with PA-5050  ver 4.1.6

Scenario 1: -

1) Configured 213.42.55.x is mapped with 192.168.1.60 ( www.x.com) with destination nat translation on port www

2) 192.168.1.60 static nat ( bi direct) with 213.42.55.x

Observation : user from public host able to access the www.x.com

Scenario 2:

1) Configured 213.42.49.x is mapped with 192.168.1.75 ( www.y.com) with destination nat translation on port www

Observation : user from public host NOT able to access the www.y.com

In scenario 1  access from public host  to www.x.com worked coz static nat ( bi-direc) is configured although its not required along with destination based nat translation   ....but


in Scenario 2 : access from public to www.y.com didn't work as only destination based nat translation was required

Note : we observed from traffic logs that traffic is hitting in both scnearios on public ips .....

only difference is public host not able to access www.y.com .

Pleae let me know if it is realted to a any bug or config issue.

~ Akber Mirza.

9 REPLIES 9

L6 Presenter

Hi...Can you share the NAT rule and security rule used in scenario 2 please.  Thanks.

Hello rmonvon & Palo-Alto support ,

Please help me to resolve this Dest NAT Translation  issue on high priority


Pelase find below the config for scenario 1 & 2 ( access from public host to DMZ zone)

Current Observation : Al though scenario 2 doesnt work ...but saw translation happening as per traffic log.

same time from firewall able to reach 192.168.1.75 .We also observed that during the testing inside to dmz

was found working and user from inside able to access the website www.y.com.

Scenario1

Name

Tag

Source    Zone

Destination    Zone

Destination    Interface

Source    Address

Destination    Address

Service

Source    Translation

Destination    Translation

Active/Active    HA Binding

Target

Description

nat130

none

outside

outside

any

any

H-213.42.55.x-32

https

none

address: H-192.168.1.60-32

primary

any

port: 443




















nat140

none

outside

outside

any

any

H-213.42.55.x-32

ssh

none

address: H-10.1.200.127-32

primary

any

port: 22

rule2

none

dmz1

outside

ethernet1/12

H-192.168.1.60-32

any

any

static-ip

none

primary

any

H-213.42.55.x-32

bi-directional: yes

nat167

none

outside

outside

any

any

H-213.42.55.x-32

www

    none                 

     address: H-192.168.1.60-32

primary

any

port: 80

Scenario 2:

Name

Tag

Source    Zone

Destination    Zone

Destination    Interface

Source    Address

Destination    Address

Service

Source Translation

Destination    Translation

Active/Active    HA Binding

Target

Description

nat6

none

outside

outside

any

any

H-213.42.49.X-32

ssh

none

address: H-10.1.200.130-32

primary

any

port: 22
















nat83

none

outside

outside

any

any

H-213.42.49.X-32

sqlnet

    none

address: H-192.168.1.35-32

primary

any

port: 1521

nat168

none

outside

outside

any

any

H-213.42.49.X-32

www

     none

address: H-192.168.1.75-32

primary

any

port: 80

Scenario 1 worked coz along with dest nat translation it was configured with static Nat .

scenario 2 : Didint work as we only configured Dest nat translation for the public IP 213.42.49.x

Based on your analysis .....please let me know if you find any things strange....let me know if you required any further info

Thanks and Regards,

Akber Mirza.

Just for the record - this forum is a community forum where PA users help each other.

If you have found a bug or have something else malfunctioning on your PA device you should contact support or your Sales Engineer directly to properly create a supportcase and have a supporttechnician assigned your case.

I am fully aware of your suggestion and we have logged a call with Palo Alto tech support team through our local vendor in Dubai

and the call was logged over 2 weeks with no success!

Hence I am using Palo Alto Forum as a source to discuss my issue with all the forums users including Palo Alto .

Dear Forum users please help me to solve my issue !

Appreciate your quick response.

Regards,

Akber Mirza.

I just wanted to clearify 🙂

I fully understand your frustration when an issue isnt resolved straight away. I think in your case (regarding response from supportteam) you should contact your Sales Engineer so he/she could look up current status and perhaps escalate your support ticket.

Regarding your problem the first thing I would do is to perform a tcpdump before and after your PA device (its so much easier when you see whats actually going on in the cables).

Like by connecting a Cisco 29xx on both sides and enable span-ports/port-mirroring.

This way you will see if the packet is actually leaving your PA and if this packet have the proper srcip/srcport/dstip/dstport set (along with srcmac and dstmac).

You would by this also spot if that second server is actually returning its traffic back to the PA or not.

Stuff that often go bad when it comes to NAT-issues:

*) The NAT-rules itself are wrong in one way or another.
*) Lack of proper security rules (so the NATed packets isnt allowed to pass through).
*) Bad routing and/or bad netmasks on interfaces (so when the packet is cleared to be sent out there is no egress interface available).
*) Bad routing on the server side, the server has incorrect default gateway or incorrect static routes setup so return traffic is never sent back to your PA.

Regarding your NAT rules I find it a bit tricky to use bi-directional, I prefer to have full control of the NATing instead of rely on "magic".

So to combine your both scenarios I think following should work (along with proper security rules also given that all ip addresses have a route and belongs to a zone):

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.75-32 / p80

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP1521
srctrans:
dsttrans: H-192.168.1.35-32 / p1521

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.127-32 / p22

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.60-32 / p80

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP443
srctrans:
dsttrans: H-192.168.1.60-32 / p443

Then when you build your security rules PA logic is:

srczone: <prenat srczone>
dstzone: <postnat dstzone>
dstip: <prenat dstip>

Which gives that for the following DNAT rule:

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22

assuming that 10.1.200.130 is on zone dmz your security rule should look like:

srczone: outside
dstzone: dmz
dstip: H-213.42.49.X-32
service: TCP22
appid: ssh

Akber...Please re-attach the screenshots via the 'Attach Files' because your screenshots are cut off and we can't see your complete policies.  Also, it looks like those are the NAT rules.  We also need to see your security rules (allow/deny).  Thanks.

Hello,

Following two cases have been logged with PA tech support from our vendor

CaseID #: 00077322  & 00079272

On 25th May'12 we put this product in our production network and  performed packet captures and provided a 2 GB approx amount

of data to PA tech -support team.

My simple query is that whetehr the Desination nat which i shared you is correct ..or any thing wrong u observed .

Note :

1) 213.42.49.x ,outside interface ip ...  and 213..42.55.x is another nat pool given ISP.

2) 192.168.1.x is our dmz zonesubnet

3) 10.1.200.x is out inside zone

4) We are migrating from Cisco PIX 6.3 to Palo Alto 5050 ver 4.1.4

Scenario  2 : ONly destnation NAT was requried to be configured and but users  from public host not able to access www.y.com website although traffic  logs ( 213.42.49.x) were observed in PA which shared in attachment

Scneario  1: Here as well Destination NAT was required to be configured but  static nat bi-direct is also configured ....but anyways public host were  able to access www.x.com and same time traffic logs were observed at  the same in PA...attached the logs .

Pleae help me to solve the issue.

Regards,Akber.

Akber...The dest NAT rule looks fine and I don't see anything wrong. It's not working for you however.  To troubleshoot, I suggest trying to simplify the dest NAT rule by removing the service & port, and define the NAT by the IPs only.  The allowed applications are still controlled by your security rules.

If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?

Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?

Hello,

Good to know that the config is fine and strange to know that even though the config is fine things doesnt work when we implemet Palo alto in production for a short period. We are struggling to find the root cause of the issue although sufficient infoiramation provide to vendor and Palo alto tech-support team ( 5hrs online access given to PA team when device in prod , 2 gb logs given through wire shark)

Q) To troubleshoot, I suggest trying to simplify the dest NAT rule by  removing the service & port, and define the NAT by the IPs only.   The allowed applications are still controlled by your security rules.

we will try this on shortly.....n see whether it works.....btw  we have upgraded the ios from 4.1.4 to 4.1.6 to isolate any bugs related to nat in 4.1.4 version.

Q) If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?

we haven't tried to do this wasy as it was not reqd in our requirement and only destination nat is reqd  and we cant try this as have a reqmt of public host from internet reaching to dmz server ....n server will only respond to the initiated connection from outside.

Q) Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?

213.42.49.x is our outside interface ip ......

213.42.55.x subnet is static routed from ISP....but a part of subnet is used for webservers.

Regards, Akber .

  • 7663 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!