This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
NAT rule to change internal IP to another on same subnet?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- NAT rule to change internal IP to another on same subnet?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-13-2017 09:29 AM
Hi folks,
I have created a internal zone IP address I want to use as generic for FTP communications 192.168.1.9.
I want to NAT this IP to our current FTP server 192.168.1.19. This way when our FTP server changes we just change our NAT rule rather than the rest of our partner companies firewalls, routes, etc.
I've created a DNAT rule and able to ping 192.168.1.9 and get a response from 192.168.1.19, but unable to connect via ftp.
I've done this before successfully between network zones (subnets) but not on the same zone (subnet) so far.
Any suggestions?
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-12-2017 07:37 AM
For it to work from outside you need:
From zone - Untrust
To zone - Untrust
Destination Address - 96.68.102.139
Service - create new tcp-21 with protocol tcp and port 21
Destination translation - 192.168.32.19
NB! Place this new wan rule above WebServer1 rule because otherwise WebServer1 will NAT all ports to 192.168.1.9
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
11 REPLIES 11
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-13-2017 09:37 AM
Hey do I understand correctly that clients and FTP server are both internal in 192.168.1.x subnet?
Can you show your DNAT rule?
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-13-2017 09:42 AM - edited 09-13-2017 09:49 AM
Thanks. Maybe I should create a source bi-directional rule. But do not want to disturb regular traffic to 192.168.1.19.
FTP-IP1 = 192.168.1.9
Private = 192.168.1.19
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-13-2017 09:52 AM
You have to add source nat also to the rule.
Traffic must source from firewall internal IP.
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-13-2017 10:19 AM
Thank you. Do you know if that would effect communications with clients that are currently connecting and using IP 192.168.1.19 directly?
Related Content
- DHCP Lease Issue in General Topics
- VirusTotal flase positive incorrect detection in VirusTotal
- Can you setup a S2S VPN behind your Outside (untrusted) interface on same firewall? in General Topics
- Internal/External Gateway User-id in GlobalProtect Discussions
- Ingesting Syslog to Private/Internal Syslog in Cortex XDR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks