07-13-2012 12:42 AM
Hi All,
I have a application server in my network. now i want to make this applicable accessible from internet through Public ip (Live Ip).
i don't know what will be the steps for that. please help me.
Thanks in advance
07-13-2012 12:49 AM
You need to setup NAT (or DNAT, destination nat - meaning dstip will be changed so when clients on internet connect to your public ip at a specific port the PA device will alter the packet so its dstip will be changed to the localip and then forward the packet to the localip server).
07-13-2012 12:49 AM
You need to setup NAT (or DNAT, destination nat - meaning dstip will be changed so when clients on internet connect to your public ip at a specific port the PA device will alter the packet so its dstip will be changed to the localip and then forward the packet to the localip server).
07-18-2012 12:56 AM
Thanks mikand!!!
it's done successfully. but if i want to map more than one application with different port to the single live ip. than what will be the steps for configuration.
i tried with service and ip but NAT policy , policy with first priority only works.
07-18-2012 02:26 PM
For original packet you setup what this particular NAT rule should trigger on.
So lets assume you have traffic from srczone:Internet towards your public ip and service:12345.
srczone:Internet
dstzone:Internet
srcip:any
dstip:<your public IP that the client will talk to>
service:TCP_12345
Translated packet will then look like:
translated address:<ip of the server in DMZ or where it now might be located>
translated port: just leave it blank (or manually fill in 12345)
Now the above is to change the ip header for matching packets.
You still need to setup a security rule before the packets are allowed to reach that server at DMZ:
srczone:Internet
dstzone:DMZ
srcip:any
dstip:<your public IP that the client will talk to>
service:TCP_12345
appid:smtp (or whatever appid is applicable in your case)
The above is to DNAT incoming traffic. If you want your server at DMZ to on its own initiate outbound traffic you need to setup similar SNAT.
The above, when dealing at service (port) level, is good when you have only a single or a few public addresses. So the same ip will forward to different servers in DMZ depending on which proto/port the client is addressing. So you just redo the above work and setup another DNAT rule for next service and another security rule to allow that service (along with appid if possible).
To make it easier you can setup a 1:1 DNAT (and SNAT at the same time) so that a particular public ip always matches with a particular DMZ ip.
This way you wont need to setup more NAT-rules (only one per server) and only have to setup security rules for each traffic flow (of course depending on how you setup these security rules but I would recommend you to be as narrow as possible when you setup allow-rules).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
