How can I publish a Server via a public IP from the same Subnet of the WAN Interface?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How can I publish a Server via a public IP from the same Subnet of the WAN Interface?

L2 Linker

Hi guys,

I'm new to PAN Firewalls and currently I am trying to publish a customer's SBS Server via a PAN200. The Firewall has the public IP course i posted a fake one Smiley Wink) and the server shall be accessible via

- I've configured Accessrules allowing traffic from WAN to LAN + SBS internal IP

-  Static unidirectional NAT for LAN -> WAN source sbs internal to

- Destination NAT for WAN -> WAN destination to SBS internal IP

I've tried to reach the server and I can't find anything recorder in traffic monitoring.

Hope someone has a idea to solve this.

Best regards

1 accepted solution

Accepted Solutions

change SBS_internal to public ip address on security rule

View solution in original post


L6 Presenter


Try to telnet from outside to that 220 ip for the related port and see from monitor if it shows the logs and NAT works or not

doesn't get logged either Smiley Sad

can you type your security rule and Nat rule for that traffic with details

L4 Transporter

Are you filtering the the traffic logs with destination set to the external IP address ?

security rule:

source zone: WAN any any any

dest zone: LAN SBS_internal

application and service: any


rule 1:

src zone: LAN src address SBS_internal

dst zone: WAN

static nat:

bi directional: no

rule 2:

src zone: WAN

dst zone: WAN dst address

Dest NAT: SBS_internal

all rules are on top, so nat+pat doesn't hit traffic from the server.

pinged from the server and it was sucessfully nat'ed to the expected public IP and replies came back in. however inbound connections are not logged for this public ip

yep also filtered the logs for the specific ip or WAN as dst zone, but even without filters i didn't see the traffic

change SBS_internal to public ip address on security rule

Have you specified the external ip address in the security rule ? If not can you specify the pre NAT address in the destination address field.

thanks guys, that was indeed the problem Smiley Happy

for those wondering why the traffic was dropped but not logged: you need to define a rule that matches a drop, the default deny rule does not log.

  • 1 accepted solution
  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!