- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-04-2012 05:21 AM
Hello Guys,
Destination NAT translation doesn't work properly with PA-5050 ver 4.1.6
Scenario 1: -
1) Configured 213.42.55.x is mapped with 192.168.1.60 ( www.x.com) with destination nat translation on port www
2) 192.168.1.60 static nat ( bi direct) with 213.42.55.x
Observation : user from public host able to access the www.x.com
Scenario 2:
1) Configured 213.42.49.x is mapped with 192.168.1.75 ( www.y.com) with destination nat translation on port www
Observation : user from public host NOT able to access the www.y.com
In scenario 1 access from public host to www.x.com worked coz static nat ( bi-direc) is configured although its not required along with destination based nat translation ....but
in Scenario 2 : access from public to www.y.com didn't work as only destination based nat translation was required
Note : we observed from traffic logs that traffic is hitting in both scnearios on public ips .....
only difference is public host not able to access www.y.com .
Pleae let me know if it is realted to a any bug or config issue.
~ Akber Mirza.
06-04-2012 10:16 PM
Hello rmonvon & Palo-Alto support ,
Current Observation : Al though scenario 2 doesnt work ...but saw translation happening as per traffic log.
same time from firewall able to reach 192.168.1.75 .We also observed that during the testing inside to dmz
was found working and user from inside able to access the website www.y.com.
Scenario1
|
|
|
|
|
|
|
Name | Tag | Source Zone | Destination Zone | Destination Interface | Source Address | Destination Address | Service | Source Translation | Destination Translation | Active/Active HA Binding | Target | Description | ||||||
nat130 | none | outside | outside | any | any | H-213.42.55.x-32 | https | none | address: H-192.168.1.60-32 | primary | any |
| ||||||
|
|
|
|
|
|
|
|
| port: 443 |
|
|
| ||||||
nat140 | none | outside | outside | any | any | H-213.42.55.x-32 | ssh | none | address: H-10.1.200.127-32 | primary | any |
|
|
|
|
|
|
|
|
|
| port: 22 |
|
|
|
rule2 | none | dmz1 | outside | ethernet1/12 | H-192.168.1.60-32 | any | any | static-ip | none | primary | any |
|
|
|
|
|
|
|
|
| H-213.42.55.x-32 |
|
|
|
|
bi-directional: yes |
nat167 | none | outside | outside | any | any | H-213.42.55.x-32 | www | none | address: H-192.168.1.60-32 | primary | any |
|
|
|
|
|
|
|
|
|
| port: 80 |
|
|
|
Scenario 2:
Name | Tag | Source Zone | Destination Zone | Destination Interface | Source Address | Destination Address | Service | Source Translation | Destination Translation | Active/Active HA Binding | Target | Description | ||
nat6 | none | outside | outside | any | any | H-213.42.49.X-32 | ssh | none | address: H-10.1.200.130-32 | primary | any |
| ||
|
|
|
|
|
|
|
|
| port: 22 |
|
|
| ||
nat83 | none | outside | outside | any | any | H-213.42.49.X-32 | sqlnet | none | address: H-192.168.1.35-32 | primary | any |
|
|
|
|
|
|
|
|
|
| port: 1521 |
|
|
|
nat168 | none | outside | outside | any | any | H-213.42.49.X-32 | www | none | address: H-192.168.1.75-32 | primary | any |
|
|
|
|
|
|
|
|
|
| port: 80 |
|
|
|
Scenario 1 worked coz along with dest nat translation it was configured with static Nat .
scenario 2 : Didint work as we only configured Dest nat translation for the public IP 213.42.49.x
Based on your analysis .....please let me know if you find any things strange....let me know if you required any further info
Thanks and Regards,
Akber Mirza.
06-05-2012 01:00 AM
Just for the record - this forum is a community forum where PA users help each other.
If you have found a bug or have something else malfunctioning on your PA device you should contact support or your Sales Engineer directly to properly create a supportcase and have a supporttechnician assigned your case.
06-05-2012 02:13 AM
I am fully aware of your suggestion and we have logged a call with Palo Alto tech support team through our local vendor in Dubai
and the call was logged over 2 weeks with no success!
Hence I am using Palo Alto Forum as a source to discuss my issue with all the forums users including Palo Alto .
Dear Forum users please help me to solve my issue !
Appreciate your quick response.
Regards,
Akber Mirza.
06-05-2012 03:30 AM
I just wanted to clearify 🙂
I fully understand your frustration when an issue isnt resolved straight away. I think in your case (regarding response from supportteam) you should contact your Sales Engineer so he/she could look up current status and perhaps escalate your support ticket.
Regarding your problem the first thing I would do is to perform a tcpdump before and after your PA device (its so much easier when you see whats actually going on in the cables).
Like by connecting a Cisco 29xx on both sides and enable span-ports/port-mirroring.
This way you will see if the packet is actually leaving your PA and if this packet have the proper srcip/srcport/dstip/dstport set (along with srcmac and dstmac).
You would by this also spot if that second server is actually returning its traffic back to the PA or not.
Stuff that often go bad when it comes to NAT-issues:
*) The NAT-rules itself are wrong in one way or another.
*) Lack of proper security rules (so the NATed packets isnt allowed to pass through).
*) Bad routing and/or bad netmasks on interfaces (so when the packet is cleared to be sent out there is no egress interface available).
*) Bad routing on the server side, the server has incorrect default gateway or incorrect static routes setup so return traffic is never sent back to your PA.
Regarding your NAT rules I find it a bit tricky to use bi-directional, I prefer to have full control of the NATing instead of rely on "magic".
So to combine your both scenarios I think following should work (along with proper security rules also given that all ip addresses have a route and belongs to a zone):
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.75-32 / p80
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP1521
srctrans:
dsttrans: H-192.168.1.35-32 / p1521
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.127-32 / p22
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP80
srctrans:
dsttrans: H-192.168.1.60-32 / p80
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.55.x-32
service: TCP443
srctrans:
dsttrans: H-192.168.1.60-32 / p443
Then when you build your security rules PA logic is:
srczone: <prenat srczone>
dstzone: <postnat dstzone>
dstip: <prenat dstip>
Which gives that for the following DNAT rule:
srczone: outside
dstzone: outside
dstint: any
src: any
dst: H-213.42.49.X-32
service: TCP22
srctrans:
dsttrans: H-10.1.200.130-32 / p22
assuming that 10.1.200.130 is on zone dmz your security rule should look like:
srczone: outside
dstzone: dmz
dstip: H-213.42.49.X-32
service: TCP22
appid: ssh
06-05-2012 03:52 AM
Akber...Please re-attach the screenshots via the 'Attach Files' because your screenshots are cut off and we can't see your complete policies. Also, it looks like those are the NAT rules. We also need to see your security rules (allow/deny). Thanks.
06-05-2012 10:28 PM
Hello,
Following two cases have been logged with PA tech support from our vendor
On 25th May'12 we put this product in our production network and performed packet captures and provided a 2 GB approx amount
of data to PA tech -support team.
My simple query is that whetehr the Desination nat which i shared you is correct ..or any thing wrong u observed .
Note :
1) 213.42.49.x ,outside interface ip ... and 213..42.55.x is another nat pool given ISP.
2) 192.168.1.x is our dmz zonesubnet
3) 10.1.200.x is out inside zone
4) We are migrating from Cisco PIX 6.3 to Palo Alto 5050 ver 4.1.4
Scenario 2 : ONly destnation NAT was requried to be configured and but users from public host not able to access www.y.com website although traffic logs ( 213.42.49.x) were observed in PA which shared in attachment
Scneario 1: Here as well Destination NAT was required to be configured but static nat bi-direct is also configured ....but anyways public host were able to access www.x.com and same time traffic logs were observed at the same in PA...attached the logs .
Pleae help me to solve the issue.
Regards,Akber.
06-06-2012 08:44 AM
Akber...The dest NAT rule looks fine and I don't see anything wrong. It's not working for you however. To troubleshoot, I suggest trying to simplify the dest NAT rule by removing the service & port, and define the NAT by the IPs only. The allowed applications are still controlled by your security rules.
If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?
Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?
06-06-2012 12:05 PM
Hello,
Good to know that the config is fine and strange to know that even though the config is fine things doesnt work when we implemet Palo alto in production for a short period. We are struggling to find the root cause of the issue although sufficient infoiramation provide to vendor and Palo alto tech-support team ( 5hrs online access given to PA team when device in prod , 2 gb logs given through wire shark)
Q) To troubleshoot, I suggest trying to simplify the dest NAT rule by removing the service & port, and define the NAT by the IPs only. The allowed applications are still controlled by your security rules.
we will try this on shortly.....n see whether it works.....btw we have upgraded the ios from 4.1.4 to 4.1.6 to isolate any bugs related to nat in 4.1.4 version.
Q) If you add a static NAT (bi-directional) for case 2 - 213.42.49.x, does it work?
we haven't tried to do this wasy as it was not reqd in our requirement and only destination nat is reqd and we cant try this as have a reqmt of public host from internet reaching to dmz server ....n server will only respond to the initiated connection from outside.
Q) Do you have 2 IPs defined on the outside interface for your 2 public IP ranges?
213.42.49.x is our outside interface ip ......
213.42.55.x subnet is static routed from ISP....but a part of subnet is used for webservers.
Regards, Akber .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!