10-23-2012 10:15 AM
I am trying to create a static destination NAT to enable RDP access on port 3389 for one of my internal servers, but no matter what I try, it just doesn't seem to work. I've read through several KB articles as well as https://live.paloaltonetworks.com/docs/DOC-1517 and I've set everything up as it seems it should be, yet no NAT session is ever created.
My policies:
NAT:
Policy 1:
Original Packet:
Source Zone: untrust
Destination Zone: untrust
Destination Interface: eth 1/1 (interface ip is 1.2.3.170/29)
Service: Any
Source Address: Any
Destination Address: 1.2.3.172
Translated Packet:
Source Address Translation: None
Destination Address Translation:
Translated Address: 172.16.200.11
Translated Port: <blank>
Policy 2:
Original Packet:
Source Zone: trust
Destination Zone: untrust
Destination Interface: any
Service: any
Source Address: 172.16.200.11
Destination Address: any
Translated Packet:
Source Address Translation:
Translation Type: Static IP
Translated Address: 1.2.3.172
Bi-directional: no (can't even find documentation on what this is, but I know it's supposed to be "no")
Destination Address Translation: None
Policy 3: Dynamic NAT policy that works properly.
Security:
Rule 1:
Source Zone: untrust
Source Address: any
User: any
Destination Zone: trust
Destination Address: 172.16.200.11
Application: Remote Desktop (Application group with ms-rdp and t.120, though I've also tried with "Any")
Service: Any
Action: Allow
Log: both start and end
The outbound NAT (Policy 2) portion works perfectly, and my internal server's source address is properly translated to the external address specified. The Inbound NAT, however, does not work at all. I don't see any security flows in the logs or anything else.
I know I'm probably missing something simple, I just can't seem to figure out what that is.
Thanks in advance for any assistance in why this doesn't seem to be working.
10-23-2012 10:19 AM
Utilize the public ip address of the server (Destination Address: 172.16.200.11) in your security policy.
10-23-2012 10:19 AM
Utilize the public ip address of the server (Destination Address: 172.16.200.11) in your security policy.
10-23-2012 10:23 AM
It's a little illogical, but it seemed to work.
It's my understanding that security rules are executed after the NAT rule (hence why your destination zone is "trust"). Why would the destination address be the external address if it's supposed to have already been translated?
10-23-2012 10:46 AM
Took time for me to get this down as well but essentially, 'The addresses in the security policy refer to the IP address in the original packet i.e. the pre translated address. However the destination zone is the zone where the end host is physically connected."
10-23-2012 11:27 AM
Ahh, I see. That makes a bit more sense.
Thanks for the help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
