- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-25-2010 07:38 AM
Hello,
I have migrated a configuration from an netscreen firewall.
On the netscreen on the outside interface (against the internet) there are two mip ip's configured,
one of the MIP ip's are on the same subnet as the ip on the main ip. But the other IP is on a different subnet.
Like this:
main public ip: 192.168.1.1/29
MIP ip one: 192.168.1.2
MIP ip two: 10.1.1.10
I had no problems making the correct configuration for NAT on the MIP one ip. Inbound to a mailserver.
But I am struggeling doing the configuration for MIP ip two. It does not work.
Do I need to add the MIP ip two as a loopback ip on the untrust zone or can I add it to the interface as a secondary ip? 10.1.1.10/32.
How do I make the nat configuration for the MAP two ip?
Can anyone help?
Jo Christian
06-25-2010 04:03 PM
Hi Jo,
Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue. To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped. Support can also help out with this.
Here is some quick information on how to check the counters and the debug flow basic:
Show Drop Counters
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Debug Flow Basic
Set a filter to control what traffic is logged
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Enable debug logging
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
View the debug log (tail or less)
less dp-log pan_packet_diag.log
tail dp-log pan_packet_diag.log
Hope that helps,
Kelly
06-25-2010 12:11 PM
Hi Jo,
The destination NAT IP does not need to be in the same subnet as the interface IP in our implementation for this to work. The PAN device will ARP for the address and all should work fine.
There are a couple ways to convert a ScreenOS MIP to PANOS NAT rules:
Once you have your NAT rule(s) then make sure the Security Policy has correct rules allowing the traffic in using the original (pre-NAT) IPs.
Cheers,
Kelly
06-25-2010 03:24 PM
Hello and thanks for your reply.
Yes this is what I did (your suggestion number 2) but when making the security policy my rule always get "tagged" as unused when hitting the "show unused" button. Is there some way to debug the reason for the rule being tagged as unused?
I don't have any other rules that should interfere with this one.
Jo Christian
06-25-2010 04:03 PM
Hi Jo,
Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue. To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped. Support can also help out with this.
Here is some quick information on how to check the counters and the debug flow basic:
Show Drop Counters
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Debug Flow Basic
Set a filter to control what traffic is logged
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Enable debug logging
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
View the debug log (tail or less)
less dp-log pan_packet_diag.log
tail dp-log pan_packet_diag.log
Hope that helps,
Kelly
06-28-2010 08:33 AM
Hello,
Everything working now. Had to restart the DSL modem for the other subnet to work correctly.
Thank you for your help!
Jo Christian
09-16-2010 12:04 AM
Hi Guru,
My netscreen configuration for MIP mail server as follwing:
set interface "ethernet0/3" mip 210.24.x.x host 146.168.y.y netmask 255.255.255.255 vr "trust-vr"
set policy id 4 from "Internet" to "Trust" "Any" "MIP(210.24.x.x)" "Mail Services" permit log
set policy id 4
set route source 146.168.y.y/32 interface ethernet0/3 gateway 210.24.x.z
And i would like to convert the config from netscreen to PaloAlto, what configuration on the Palo Alto that i suppose to configure? It's that i suppose to do as following if base on the TechNote_UnderstandingNAT:
1) Internet Inbound to DMZ servers
2) DMZ servers outbound to internet
3) U-Turn in the same zone
09-16-2010 06:56 AM
Here is the full package you can copy / paste for CLI then make modifications in the Web Console. I am not a fan on add App-ID when I do the migration but it is not that hard if you know the protocol. Since I don't know if "mail service" is only SMTP or the full array of mail protocols, I am including all services. I don't know if your NetScreen includes an Outbound rule for your mail server.
set service POP3-Service protocol tcp 110
set service SSL-POP3-Service protocol tcp 995
set service SMTP-Service protocol tcp 25
set service SSMTP-Service protocol tcp 465
set service IMAP-Service protocol tcp 143
set service IMAP4-SSL-Service protocol tcp 585
set service IMAPS-Service protocol tcp 993
set group service Mail-Services add POP3-Service
set group service Mail-Services add SSL-POP3-Service
set group service Mail-Services add SMTP-Service
set group service Mail-Services add SSMTP-Service
set group service Mail-Services add IMAP-Service
set group service Mail-Services add IMAP4-SSL-Service
set group service Mail-Services add IMAPS-Service
set address "Mail-NAT" ip-netmask 210.24.x.x
set address "Mail-Real" ip-netmask 146.168.y.y
set rulebase security rules "Inbound Mail" from Untrust to Trust
set rulebase security rules "Inbound Mail" source Any
set rulebase security rules "Inbound Mail" destination Mail-NAT
set rulebase security rules "Inbound Mail" destination Mail-Real - I only add this for troubleshooting because sometimes I have to add multiple source zones.
set rulebase security rules "Inbound Mail" service Mail-Services
set rulebase security rules "Inbound Mail" action allow
set rulebase security rules "Inbound Mail" log-end yes
set rulebase security rules "Inbound Mail" profile-setting group Security_Profile_AV_AS_VA
set rulebase security rules "Inbound Mail" application any
set rulebase nat rules "Inbound Mail NAT" from Untrust to Untrust
set rulebase nat rules "Inbound Mail NAT" source any
set rulebase nat rules "Inbound Mail NAT" destination Mail-NAT
set rulebase nat rules "Inbound Mail NAT" service any
set rulebase nat rules "Inbound Mail NAT" destination-translation translated-address 146.168.y.y
set rulebase nat rules "Outbound Mail NAT" from Trust to Untrust
set rulebase nat rules "Outbound Mail NAT" source Mail-Real
set rulebase nat rules "Outbound Mail NAT" destination any
set rulebase nat rules "Outbound Mail NAT" service any
set rulebase nat rules "Outbound Mail NAT" source-translation static-ip translated-address 210.24.x.x
09-19-2010 11:38 PM
Hi Blacksan,
Appreciated & Thank you very much for your NAT & Security policy that convert from netscreen to PaloAlto. It's really help me a lot.
Btw, how about the source routing that applied in netscreen? as below:
set route source 146.168.y.y/32 interface ethernet0/3 gateway 210.24.x.z
09-20-2010 01:47 AM
Hi tanbc3323,
I think PBF could help you, something like this:
set rulebase pbf rules rule1 source 146.168.y.y/32
set rulebase pbf rules rule1 destination any
set rulebase pbf rules rule1 service any
set rulebase pbf rules rule1 action forward egress-interface
ethernet0/3
set rulebase pbf rules rule1 action forward nexthop ip-address
210.24.x.z
09-20-2010 06:44 AM
make sure you are running PA 3.1+ to see the Policy Base Forwarding. (PBF) which is a simply version of Policy Base Routing (PBR).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!