DMZ Web Server Access Setup PT2

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

DMZ Web Server Access Setup PT2

Hello Community,

 

Can someone please let me know if Palo Alto have any documentation examples of setting up access to a webserver from the Internet that resides in a DMZ?

 

Thank you

 

Carlton 


Accepted Solutions
Highlighted
L3 Networker

If you are thinking why mentioned Public IP in the security policy not the private

---We mention always the ip based on the original / prenatted ip packet.


I found one old still the best documnet for understanding nat please follow the below link  to check the same hope this may help

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965

View solution in original post


All Replies
Highlighted
L6 Presenter

Hi...I assume your case is to allow Internet users to connect to your web server in the DMZ and the server will be assigned a private IP address.  Please checkout the section 'Destination NAT' in this NAT document which has an example of the NAT & security rules: 

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965

 

The basic config is to define the inbound dest NAT rule to translate the public IP to the private IP, and the security policy rule to allow the specific app/traffic to the web server.   Optionally, you can also define DoS protection rule to protect the server from possible DoS attacks.

 

Thanks,

 

Highlighted
L3 Networker

BITHEAD,

 

This is great. 

 

Is there any other similar documents showing examples of how to configure L3 - Sub-interfaces?

 

Regards

 

Carlton

Highlighted
L6 Presenter

yes, a quick search on 'l3 sub' has several useful results.  Here's one:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-Tagged-Sub-Interfaces/ta-p...

 

Highlighted
L3 Networker

comment2.pngcomment3.PNGcomment4.PNG

 

 

Highlighted
L3 Networker

If you are thinking why mentioned Public IP in the security policy not the private

---We mention always the ip based on the original / prenatted ip packet.


I found one old still the best documnet for understanding nat please follow the below link  to check the same hope this may help

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-PAN-OS-NAT/ta-p/60965

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!