This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

help with NAT

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

help with NAT

bwfreas
L1 Bithead

‎04-12-2017 09:19 AM - edited ‎04-12-2017 10:51 PM

hello im wondering if anyone can help a PAFW newbie with configuring some nat that i am trying to pass through.  i dont know how my security & nat rules should look but this is what i have configured:

 

security rule: source zone (untrust) source address (any) destination zone (untrust) destination 99.99.99.13 Accept
nat rule: source zone (untrust) source address (any) destination zone (untrust) destination address 99.99.99.13 destination translation (10.10.1.4)

 

I did NOT set up any kind of proxy arp - believe that is unneeded?

when i attempt to contact my PAFW on https://99.99.99.13 i see traffic from untrust to untrust application "incomplete", action "allow", session end reason "aged out"

 

i must be missing something somewhere?

 

thank you in advance

0 Likes Likes
3 REPLIES 3

bradk14
L4 Transporter

‎04-12-2017 10:09 AM - edited ‎04-12-2017 10:11 AM

so I need to ask. is this a production environment? even if you are using private IPs for a machine, you usually wouldn't want the untrust to be able to access the trust network in a traditional network environment. if any machine on the 10.1..1.0/24 network gets compromised (or whatever the subnet mask is), it has unfiltered access to all machines on that same subnet (save for host based firewalls). even if your trust zone is subnetted, the default PA rule allows traffic between same zones. all this can be worked around of course, but best practice would be to have a DMZ zone where you can at least have a tighter control on access.

 

okay, soapbox aside...

 

the general rule here is that on your security policy, you use pre-nat IPs and post-nat zones. So in this example, your security policy should be something like:

 

source zone: untrust

source ip: any

destination zone: trust

destination ip: 99.99.99.13

 

without seeing it laid out from the GUI, your destination NAT sounds correct, however.

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-example... should help.

--
CCNA Security, PCNSE7
0 Likes Likes

TranceforLife
L6 Presenter

‎04-12-2017 11:03 AM

Agree with @bradk14 as more info needed. Usually,  "aged-out" as a session end reason is not a good sign and most of the time indicates an issue with a 3-way handshake. Can you ping an internal server from the firewall? Do you see any bytes received in the session logs?

0 Likes Likes

ansharma
L4 Transporter

‎04-12-2017 05:30 PM

Destination zone in security policy needs to be 'Trust'. Rest looks fine.

================================================================
ACE 7.0, 8.0, PCNSE 7
0 Likes Likes
  • 2187 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks