This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

NAT question when migrating config.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT question when migrating config.

inderjit21
L3 Networker

‎02-23-2016 09:34 PM

Converting config from Nortel Connectivty switch to PA200.

3 interfaces

untrust - public ip - 202.3.41.0/28

trust:private ip - 10.10.10.0/24.

dmz-203.4.42.96/28

 

There is one to one mapping of few untrust ip to trust ips( to access trust ips from outside) and also few one to one mapping from dmz to trust.

When translating this to PA200.

I can do untrust to trust fine adding nat and security rules.

 

But when doing dmz to trust not sure about security polices and nat rules.

Will it be untrust to dmz(eg-203.4.42.99) -destination address translation ,translated address 10.10.10.100 in nat rule and untrust to trust(203.4.42.99) in security rule.

 

0 Likes Likes
3 REPLIES 3

santonic
L6 Presenter

‎02-23-2016 11:15 PM

I think it will be like that yes. But it's a bit weird concept i haven't seen yet. Are there also some servers with public address in DMZ? Or are there only NAT-ed servers? If it's only NAT-ed servers in DMZ than you can easily skip configuring DMZ on seperate interface and just configure that segment on untrust interface.

Nothing to do with your original question: but NAT into LAN is a very poor design regarding security. So if you have a chance try to redisgn the network.

0 Likes Likes

inderjit21
L3 Networker
In response to santonic

‎02-23-2016 11:42 PM

thanks for the info. But if you dont NAT in LAN how do u access LAN from untrust if u need to. Do u move them to dmz and just

have untrust to dmz access?

0 Likes Likes

santonic
L6 Presenter
In response to inderjit21

‎02-24-2016 12:05 AM

Servers accesible from internet should be in DMZ. They should have only necessary services/applications open towards LAN. So if a server is breached, attacker still has no access into LAN and other networks (or very limited).

In what cases would you need direct access from internet to LAN? 

0 Likes Likes
  • 1874 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks