Destination NAT translation is not working os .5.0.10

Reply
Satish
L4 Transporter

Destination NAT translation is not working os .5.0.10

Hi Friends,

PAN OS 5.0.10 is running. i have create a destination NAT translation but is not working and also i am not getting any logs. please suggest.

gts.PNG

NAT.png

Regards

Satish

Wenar
L3 Networker

Do you have a security policy for this traffic with activated logging?

Satish
L4 Transporter

Hi Wenar,

Yes, I have already a security policy for that.

Regards

Satish

Wenar
L3 Networker

Can you post a screenshot of the security policy? Keep in mind that your security policy has to look like this:

Source:Any

Source Zone: Any (or Untrust)

Destination: Public IP

Destination Zone: Zone for Private IP

You should see the traffic in the traffic log.

rborda
L3 Networker

Hi Satish,

Verify your Security Policy and NAT policy look like what you see below. Make sure that Destination address for your NAT and Security Policy is your Public IP.

Also, for your NAT policy use Source Zone: Untrust, Destination Zone: Untrust. Use only Private IP in your Translated Destination Address.

Security Policy

SecurityPolicy.JPG

Nat policy

NATPolicy.JPG

Regards

bat
L5 Sessionator

Satish

Could you confirm if the traffic for that IP address is even reaching the firewall ? Try configuring packet capture and see if the packet is reaching the firewall, if it's not then it should be a simple ARP or routing issue.

Hope it helps !

oklier
L3 Networker

Hurricane electric has a helpful public looking glass utility: Looking Glass - Hurricane Electric (AS6939). They even have an app for the Android :smileyhappy:.

pulukas
L7 Applicator

I would start by filtering your policy logs by the source address of the attempt.  Then you can see what policy the traffic is hitting in your firewall.  Make sure you do have a logging final deny all policy so it is not silently dropped and that logging is enabled for all policies.

Nat columns can be added to the monitor policy logs so you will also see from here if the traffic is being recognized by any of the nat rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
parmas
L2 Linker

Just to add something that has not been mentioned... It could be possible that the traffic is indeed reaching the firewall and the NAT itself working properly, but you need to make sure you have a route not only on the firewall to reach the private IP, but also a route configured on the server itself to get back to the outside world through the same firewall interface that was used to forward the incoming packets.

Hope this helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!