Destination NAT Translation doesnt work properly with PA-5050

Hello rmonvon & Palo-Alto support ,

Please help me to resolve this Dest NAT Translation  issue on high priority

Pelase find below the config for scenario 1 & 2 ( access from public host to DMZ zone)

Current Observation : Al though scenario 2 doesnt work ...but saw translation happening as per traffic log.

same time from firewall able to reach 192.168.1.75 .We also observed that during the testing inside to dmz

was found working and user from inside able to access the website www.y.com.

Scenario1

Scenario 2:

Scenario 1 worked coz along with dest nat translation it was configured with static Nat .

scenario 2 : Didint work as we only configured Dest nat translation for the public IP 213.42.49.x

Based on your analysis .....please let me know if you find any things strange....let me know if you required any further info

Thanks and Regards,

Akber Mirza.

Just for the record - this forum is a community forum where PA users help each other.

If you have found a bug or have something else malfunctioning on your PA device you should contact support or your Sales Engineer directly to properly create a supportcase and have a supporttechnician assigned your case.

I am fully aware of your suggestion and we have logged a call with Palo Alto tech support team through our local vendor in Dubai

and the call was logged over 2 weeks with no success!

Hence I am using Palo Alto Forum as a source to discuss my issue with all the forums users including Palo Alto .

Dear Forum users please help me to solve my issue !

Appreciate your quick response.

Regards,

Akber Mirza.

I just wanted to clearify 🙂

I fully understand your frustration when an issue isnt resolved straight away. I think in your case (regarding response from supportteam) you should contact your Sales Engineer so he/she could look up current status and perhaps escalate your support ticket.

Regarding your problem the first thing I would do is to perform a tcpdump before and after your PA device (its so much easier when you see whats actually going on in the cables).

Like by connecting a Cisco 29xx on both sides and enable span-ports/port-mirroring.

This way you will see if the packet is actually leaving your PA and if this packet have the proper srcip/srcport/dstip/dstport set (along with srcmac and dstmac).

You would by this also spot if that second server is actually returning its traffic back to the PA or not.

Stuff that often go bad when it comes to NAT-issues:

*) The NAT-rules itself are wrong in one way or another.
*) Lack of proper security rules (so the NATed packets isnt allowed to pass through).
*) Bad routing and/or bad netmasks on interfaces (so when the packet is cleared to be sent out there is no egress interface available).
*) Bad routing on the server side, the server has incorrect default gateway or incorrect static routes setup so return traffic is never sent back to your PA.

Regarding your NAT rules I find it a bit tricky to use bi-directional, I prefer to have full control of the NATing instead of rely on "magic".

So to combine your both scenarios I think following should work (along with proper security rules also given that all ip addresses have a route and belongs to a zone):

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.75-32 / p80

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP1521
srctrans:
dsttrans: H-192.168.1.35-32 / p1521

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.127-32 / p22

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.60-32 / p80

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP443
srctrans:
dsttrans: H-192.168.1.60-32 / p443

Then when you build your security rules PA logic is:

srczone: <prenat srczone>
dstzone: <postnat dstzone>
dstip: <prenat dstip>

Which gives that for the following DNAT rule:

srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22

assuming that 10.1.200.130 is on zone dmz your security rule should look like:

srczone: outside
dstzone: dmz
dstip: H-213.42.49.X-32
service: TCP22
appid: ssh

Akber...Please re-attach the screenshots via the 'Attach Files' because your screenshots are cut off and we can't see your complete policies.  Also, it looks like those are the NAT rules.  We also need to see your security rules (allow/deny).  Thanks.

Hello,

Following two cases have been logged with PA tech support from our vendor

CaseID #: 00077322  & 00079272

On 25th May'12 we put this product in our production network and  performed packet captures and provided a 2 GB approx amount

of data to PA tech -support team.

My simple query is that whetehr the Desination nat which i shared you is correct ..or any thing wrong u observed .

Note :

1) 213.42.49.x ,outside interface ip ...  and 213..42.55.x is another nat pool given ISP.

2) 192.168.1.x is our dmz zonesubnet

3) 10.1.200.x is out inside zone

4) We are migrating from Cisco PIX 6.3 to Palo Alto 5050 ver 4.1.4

Scenario  2 : ONly destnation NAT was requried to be configured and but users  from public host not able to access www.y.com website although traffic  logs ( 213.42.49.x) were observed in PA which shared in attachment

Scneario  1: Here as well Destination NAT was required to be configured but  static nat bi-direct is also configured ....but anyways public host were  able to access www.x.com and same time traffic logs were observed at  the same in PA...attached the logs .

Pleae help me to solve the issue.

Regards,Akber.

Akber...The dest NAT rule looks fine and I don't see anything wrong. It's not working for you however.  To troubleshoot, I suggest trying to simplify the dest NAT rule by removing the service & port, and define the NAT by the IPs only.  The allowed applications are still controlled by your security rules.

If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?

Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?

Hello,

Good to know that the config is fine and strange to know that even though the config is fine things doesnt work when we implemet Palo alto in production for a short period. We are struggling to find the root cause of the issue although sufficient infoiramation provide to vendor and Palo alto tech-support team ( 5hrs online access given to PA team when device in prod , 2 gb logs given through wire shark)

Q) To troubleshoot, I suggest trying to simplify the dest NAT rule by  removing the service & port, and define the NAT by the IPs only.   The allowed applications are still controlled by your security rules.

we will try this on shortly.....n see whether it works.....btw  we have upgraded the ios from 4.1.4 to 4.1.6 to isolate any bugs related to nat in 4.1.4 version.

Q) If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?

we haven't tried to do this wasy as it was not reqd in our requirement and only destination nat is reqd  and we cant try this as have a reqmt of public host from internet reaching to dmz server ....n server will only respond to the initiated connection from outside.

Q) Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?

213.42.49.x is our outside interface ip ......

213.42.55.x subnet is static routed from ISP....but a part of subnet is used for webservers.

Regards, Akber .