Thanks for your reply , I am new to this process.
Working on a task to migrate existing DMZ traffic from ASA to Palo alto.
What exactly do you try to configure? Allow sftp from internal/dmz to the internet or from the internet to an internal or dmz server? If from internet, does your server have a punlic or private IP?
In order to let the community help you need to give us some more informations about the situation.
Does your DMZ server have a private IP? If yes then you need a security policy rule that allows ssh from your DMZ server zone and IP to the internet. In addition you need a NAT rule with the source your dmz server zone/ip as source and the internet zone as destination. In the translated address tab configure dynamic ip and port and interface IP. There you chose your internet facing interface and the corresponding IP.
I did create a NAT policy where both source and destination are untrust zones, source - any, destination is public ip and destination address translation is private IP ( sftp Ip ) . hope I am right.
source : untrust , ip address : any
destination : trust , ip address :not sure which IP i sho uld give sftp private IP or public ip .
application : any , service : sftp , action allow
Thanks for the link... I read few documents
Looks like this will exactly serve my purpose.
I am adding new external ip (public ip) and point it to the existing sftp ip (private ip ) . Correct me if I am wrong.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!