So,
PAN 5.0.1
eth1/1 - Layer 3 / Internal network 10.0.0.1/24
eth1/2 - Layer 3 / External network - DHCP assigned IP adress from ISP.
Outbound NAT works. Inbound NAT i simply doesnt get to work.. 
Used the cli command test nat-policy-match from Untrust source 8.8.8.8 destination [assigned ip adress of eth 1/2] destination port 3389 protocol 6
Got rule matched on that..
Followed that up with
debug dataplane packet-diag set filter match destination [ip adress of etch1/2]
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
Then several:
tail mp-log pan_packet_diag.log
Nothing in that log
End result wanted.. Traffic going to DHCP assigned IP is NAT:ed into internal network. Ie. Satelite office ISP's gives us dhcp issued adresses / or one static / I want to host services such as rdp / ssh etc etc. IPSEC is not an option in this scenario.
Ideas for sollution? Is it even possible???
BR, Christian
I think your destination address in the security policy is wrong. Destination address should be based on the pre nat address(External DCHP address), while the desination zone should be the post nat zone(LAN).
My rule looks like this:
The reason you don't get any logs is probably because PA doesn't log traffic that is blocked by the default policy. You can temporarily log this with a CLI command ()
I don't think there is any way to automatically get the DHCP assigned address in an object, but a workaround is using a dyn-dns service and use your fqdn in the security/nat policy. ()
I thought it would..
SO I have,
Sec pol:
src - Untrust - any -any - any dst - Unstrust - any - (Application) ms-rdp - services (any) - allow - options log
Also have:
src - Untrust - any -any - any dst - Trust- internal.server.object- (Application) ms-rdp - services (any) - allow - options log
Also tried - Chaging Application to ANY and services to the same I used in the NAT rule. service-ms-rdp...
NAT policy:
src zone: Untrust dst: zone Untrust: any - any - dest adress: External DHCP interface Service: (Created service-ms-rdp 3389) - dest translation: internal.server.object
The sad part is - I don't see anything in the logs... And nothing in the debug flow either... How would you go about troubleshoot it?
And, Is there an object with the "DHCP-assigned.address" that one can use instead of the one I made that will not update if the DHCP client gets an new address... 
Br, Christian
I think your destination address in the security policy is wrong. Destination address should be based on the pre nat address(External DCHP address), while the desination zone should be the post nat zone(LAN).
My rule looks like this:
The reason you don't get any logs is probably because PA doesn't log traffic that is blocked by the default policy. You can temporarily log this with a CLI command ()
I don't think there is any way to automatically get the DHCP assigned address in an object, but a workaround is using a dyn-dns service and use your fqdn in the security/nat policy. ()
Damn thats the change I needed to make... I read the advanced NAT PDF and I got the impression that It first nats THEN check policies... Obviously, this is NOT the case
SO by adding the external IP to the ruleset - BAM, it started working right of the bat...
I soo searched for DHCP on this site and NAT.. And did not get it to work But with your great help.. It-s working like a charm.. SO The zone reflect the NATted actions, but the IP does not. Not that obvious imho... And not like any other FW i've worked. with... Juniper, Checkpoint, Clavister..... 
So, one more thing to get used to
Again, THANKS!!! Much appreciated !!!
/C
