help with NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

help with NAT

L1 Bithead

hello im wondering if anyone can help a PAFW newbie with configuring some nat that i am trying to pass through.  i dont know how my security & nat rules should look but this is what i have configured:

 

security rule: source zone (untrust) source address (any) destination zone (untrust) destination 99.99.99.13 Accept
nat rule: source zone (untrust) source address (any) destination zone (untrust) destination address 99.99.99.13 destination translation (10.10.1.4)

 

I did NOT set up any kind of proxy arp - believe that is unneeded?

when i attempt to contact my PAFW on https://99.99.99.13 i see traffic from untrust to untrust application "incomplete", action "allow", session end reason "aged out"

 

i must be missing something somewhere?

 

thank you in advance

3 REPLIES 3

L4 Transporter

so I need to ask. is this a production environment? even if you are using private IPs for a machine, you usually wouldn't want the untrust to be able to access the trust network in a traditional network environment. if any machine on the 10.1..1.0/24 network gets compromised (or whatever the subnet mask is), it has unfiltered access to all machines on that same subnet (save for host based firewalls). even if your trust zone is subnetted, the default PA rule allows traffic between same zones. all this can be worked around of course, but best practice would be to have a DMZ zone where you can at least have a tighter control on access.

 

okay, soapbox aside...

 

the general rule here is that on your security policy, you use pre-nat IPs and post-nat zones. So in this example, your security policy should be something like:

 

source zone: untrust

source ip: any

destination zone: trust

destination ip: 99.99.99.13

 

without seeing it laid out from the GUI, your destination NAT sounds correct, however.

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-example... should help.

--
CCNA Security, PCNSE7

L6 Presenter

Agree with @bradk14 as more info needed. Usually,  "aged-out" as a session end reason is not a good sign and most of the time indicates an issue with a 3-way handshake. Can you ping an internal server from the firewall? Do you see any bytes received in the session logs?

L4 Transporter

Destination zone in security policy needs to be 'Trust'. Rest looks fine.

================================================================
ACE 7.0, 8.0, PCNSE 7
  • 2044 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!