- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-12-2017 09:19 AM - edited 04-12-2017 10:51 PM
hello im wondering if anyone can help a PAFW newbie with configuring some nat that i am trying to pass through. i dont know how my security & nat rules should look but this is what i have configured:
security rule: source zone (untrust) source address (any) destination zone (untrust) destination 99.99.99.13 Accept
nat rule: source zone (untrust) source address (any) destination zone (untrust) destination address 99.99.99.13 destination translation (10.10.1.4)
I did NOT set up any kind of proxy arp - believe that is unneeded?
when i attempt to contact my PAFW on https://99.99.99.13 i see traffic from untrust to untrust application "incomplete", action "allow", session end reason "aged out"
i must be missing something somewhere?
thank you in advance
04-12-2017 10:09 AM - edited 04-12-2017 10:11 AM
so I need to ask. is this a production environment? even if you are using private IPs for a machine, you usually wouldn't want the untrust to be able to access the trust network in a traditional network environment. if any machine on the 10.1..1.0/24 network gets compromised (or whatever the subnet mask is), it has unfiltered access to all machines on that same subnet (save for host based firewalls). even if your trust zone is subnetted, the default PA rule allows traffic between same zones. all this can be worked around of course, but best practice would be to have a DMZ zone where you can at least have a tighter control on access.
okay, soapbox aside...
the general rule here is that on your security policy, you use pre-nat IPs and post-nat zones. So in this example, your security policy should be something like:
source zone: untrust
source ip: any
destination zone: trust
destination ip: 99.99.99.13
without seeing it laid out from the GUI, your destination NAT sounds correct, however.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-example... should help.
04-12-2017 11:03 AM
Agree with @bradk14 as more info needed. Usually, "aged-out" as a session end reason is not a good sign and most of the time indicates an issue with a 3-way handshake. Can you ping an internal server from the firewall? Do you see any bytes received in the session logs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!