How to translate IP and port from trust to trust?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to translate IP and port from trust to trust?

L1 Bithead

My goal is to be able to reroute traffic from internal server 192.168.0.10 port 123 to other internal server 192.168.0.20 port 456

 

My understanding is that I do not need a u-turn nat rule since we're using internal IP addresses, however so far I've not found any rule configuration that successfully makes the translation when tested nor have I been able to find any examples of others doing similar.

Any help on this would be much appreciated.

1 accepted solution

Accepted Solutions

So then the connection goes dirwctly and not over the firewall, which means in this configuration there is no way to configure a NAT rule on the firewall.

To be able to do that you would need an IP on the firewall. Then the firewall will be able to re-route the traffic with a NAT policy and in case of a failure you can change this NAT rule

View solution in original post

7 REPLIES 7

L7 Applicator

What is now the actual source (address and zone) and destination (address and destination) where you want to have a connection?

For example client machine is 192.168.0.105

They currently access website at http://192.168.0.10

I'm setting up a server to act as failover on 192.168.0.20

I do not want user to have to manually change their bookmark etc. in case of failure, rather I have a script on 20 that monitors 10 and I would like that script to access the Palo Alto API to reroute traffic from 10 to 20

 

I already have the script and API figured out and working, however I haven't figured out how to setup the nat rule to forward traffic from 10 to 20 when client is internal

Forgot to mention that client and both servers are all in trust zone

Do you have a vwire between the clients and servers or are they all located in the same (I assume /24) subnet?

They are in the same subnet

So then the connection goes dirwctly and not over the firewall, which means in this configuration there is no way to configure a NAT rule on the firewall.

To be able to do that you would need an IP on the firewall. Then the firewall will be able to re-route the traffic with a NAT policy and in case of a failure you can change this NAT rule

Gotcha. That makes sense. Thank you.

  • 1 accepted solution
  • 3113 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!