03-17-2011 08:18 AM
I have a brand new PA500 that I have setup and everything is working fine in the outbound direction e.g. i can access the internet etc.. the problem i have is in the inbound direction. My external interface IP address is set to 126.96.36.199/28 and I have a number of other external IP addresses that i need to NAT to internal private IP addresses these are as follows:
External IP Internal IP
188.8.131.52 172.16.0.7 - Microsoft ISA
184.108.40.206 172.16.0.7 - Microsoft ISA
220.127.116.11 172.16.0.13 - SMTP Traffic
18.104.22.168 172.16.0.39 - Port 80 Traffic
22.214.171.124 172.16.0.10 - Port 443 Traffic
The problem comes when i try and add the multiple external IPs to the external interface of the PA500 i get the following error:
03-17-2011 09:01 AM
The way to configure this is to configure NAT rules in your policies tab.
Just configure a rule per NAT that you stated and set the destination addressing.
I assume that you have an interface in the specified subnet on your external interface. That should do the trick.
Then make sure your security policies allow the incoming traffic.
03-18-2011 11:40 AM
you don't need an IP address bouned to an interfece per each NAT rule. PAN device (like many firewalls) replies to the ARP requests per each public IP address you have configured in your NAT policy.
03-22-2011 01:29 PM
Try using /32 as the netmask for any additional IP addresses. For example if you want to assign lets say 172.16.5.2, 172.16.5.3 and 172.16.5.4 to a single interface, you would add:
172.16.5.2/24 <- using the correct netmask here
This worked for me.
Hope this helps...
03-22-2011 03:03 PM
Nating is the route you need to take. Example similar to yours, where I have multiple servers inside the PA unit.
The first thing I did to make it easier was to create Address objects for each server:
Example: ISAServer1_DMZ = 172.16.0.7 (internal address ip)
ISAServer1_Public = 126.96.36.199 (the public internet address)
Next you would go to Policies-->NAT
Source Zone would be your internet facing interface zone.
Destination zone would also be your internet facing zone.
Destination Address would be "ISAServer1_Public"
On the Translate tab you would choose Destination Translation with an address of "ISAServer1_DMZ" as translated address
That's for incoming. I've also done an outgoing NAT for each of my servers so they always report their own public IP. You would use a Static NAT for that.
Take this with a grain of salt. This is the first PA unit I've worked with and only started about 3 weeks ago.
03-22-2011 04:33 PM
dkraus - this is not the correct way to do multiple IPs on the external interface of a PAN.
If you add the address a.b.c.d/24, the firewall will ARP for any address in that subnet. You don't need to add extra addresses on the interface, you just add the NAT rules you need and the firewall will answer for any IP that has a matching NAT rule.
This is different from many firewalls, where you have to explicitly add each individual IP you want to answer on the external iface.
If you do only want to use a single address, or say 3 addresses out of a /28 block or something, just add each of those individual ones as /32 on the external interface. This insures that the PAN couldn't possibly attempt to ARP for any of the other addresses.
04-30-2012 01:07 AM
Greetings! thanks for this information.
I am currently having this problem and i have done the NAT policies. unfortunately i still have the same problem.
Can you provide a screenshot of your solution? maybe i am doing something wrong with my configuration.
Appreciate the help!
04-30-2012 02:01 AM
That sounds really odd.
Of course you must specify the true netmask somewhere for a L3 interface so the PA unit knows whats local (and send arp whois) and whats remote (and to be sent to defgw or nexthop).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!