How to access Local ip from Public ip

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to access Local ip from Public ip

L0 Member

Hi All,

I have a application server in my network. now i want to make this applicable accessible from internet through Public ip (Live Ip).

i don't know what will be the steps for that. please help me.

Thanks in advance

1 accepted solution

Accepted Solutions

L6 Presenter

You need to setup NAT (or DNAT, destination nat - meaning dstip will be changed so when clients on internet connect to your public ip at a specific port the PA device will alter the packet so its dstip will be changed to the localip and then forward the packet to the localip server).

Check out this document for more information:

View solution in original post

3 REPLIES 3

L6 Presenter

You need to setup NAT (or DNAT, destination nat - meaning dstip will be changed so when clients on internet connect to your public ip at a specific port the PA device will alter the packet so its dstip will be changed to the localip and then forward the packet to the localip server).

Check out this document for more information:

Thanks mikand!!!

it's done successfully. but if i want to map more than one application with different port to the single live ip. than what will be the steps for configuration.

i tried with service and ip but NAT policy , policy with first priority only works.

For original packet you setup what this particular NAT rule should trigger on.

So lets assume you have traffic from srczone:Internet towards your public ip and service:12345.

srczone:Internet

dstzone:Internet

srcip:any

dstip:<your public IP that the client will talk to>

service:TCP_12345

Translated packet will then look like:

translated address:<ip of the server in DMZ or where it now might be located>

translated port: just leave it blank (or manually fill in 12345)

Now the above is to change the ip header for matching packets.

You still need to setup a security rule before the packets are allowed to reach that server at DMZ:

srczone:Internet

dstzone:DMZ

srcip:any

dstip:<your public IP that the client will talk to>

service:TCP_12345

appid:smtp (or whatever appid is applicable in your case)

The above is to DNAT incoming traffic. If you want your server at DMZ to on its own initiate outbound traffic you need to setup similar SNAT.

The above, when dealing at service (port) level, is good when you have only a single or a few public addresses. So the same ip will forward to different servers in DMZ depending on which proto/port the client is addressing. So you just redo the above work and setup another DNAT rule for next service and another security rule to allow that service (along with appid if possible).

To make it easier you can setup a 1:1 DNAT (and SNAT at the same time) so that a particular public ip always matches with a particular DMZ ip.

This way you wont need to setup more NAT-rules (only one per server) and only have to setup security rules for each traffic flow (of course depending on how you setup these security rules but I would recommend you to be as narrow as possible when you setup allow-rules).

  • 1 accepted solution
  • 3548 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!