PAN OS 6.0.0.
I've been directed to implement NAT on our PAN-200. Given that this will disrupt current traffic, I've scheduled tomorrow night to make it happen.
I'm reading 'PAN-OS Administrator's Guide Version 6.0' - it seems reasonably straightforward.
I'm about to dive into 'Understanding NAT-4.1-RevC'.
Are there any gotchas, problems, boners, things to look out for, issues, or headaches I should be aware of before I pull the trigger?
Hi bdunbar ,
Outbound nat is straight forward, from trust to untrust nat to this address. Or this specific source gets natted to this destination address.
Inbound nat is however tricky. ie. if you have a host that is reachable from outside on address 188.8.131.52 and private address of 192.168.1.1, your nat will look like following :
From Untrust to Untrust any source to destination 184.108.40.206 translate to 192.168.1.1
Security policy :
From Untrust to Trust from any source to destination 220.127.116.11 allow
You are already reading Understanding NAT-4.1-RevC, this should give you more insight into its working. Hope this helps. Thank you.
As ssharma mentioned, Destination NAT configuration can be tricky.
Here's a video tutorial that guides you through its configuration.
Bi-Directional rules are not one of my favorite features, it attempts to simplify configuration and by doing so obscures sections of the configuration. If you choose to use Bi-Directional NAT rules, make sure to review the rules that have been implicitly created with command:
> show running nat-policy
Source NAT is pretty straightforward. One gotcha is that if you're trying to ping (or terminate any connection on one of the firewall's own interfaces), your source IP may be changed with the NAT policy, resulting in a LAND attack, thus having packets dropped. Make sure to configure No-NAT rules for connections that are intended to terminate in the firewall's own interfaces.
I also like to keep things simple. Let a NAT rule be a NAT rule and let the security rule handle hte security. That is I try not to use ports in my NAT rules, especially since I write my security rules using application and not specific ports.
You can keep it simple as you like if you have enough nat address space that you don't need to share addresses to the multiple servers. We just don't always have that luxury.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!