12-02-2014 03:14 PM
PAN-200
PAN OS 6.0.0.
I've been directed to implement NAT on our PAN-200. Given that this will disrupt current traffic, I've scheduled tomorrow night to make it happen.
I'm reading 'PAN-OS Administrator's Guide Version 6.0' - it seems reasonably straightforward.
I'm about to dive into 'Understanding NAT-4.1-RevC'.
Are there any gotchas, problems, boners, things to look out for, issues, or headaches I should be aware of before I pull the trigger?
12-02-2014 04:47 PM
Hi bdunbar ,
Outbound nat is straight forward, from trust to untrust nat to this address. Or this specific source gets natted to this destination address.
Inbound nat is however tricky. ie. if you have a host that is reachable from outside on address 1.1.1.1 and private address of 192.168.1.1, your nat will look like following :
From Untrust to Untrust any source to destination 1.1.1.1 translate to 192.168.1.1
Security policy :
From Untrust to Trust from any source to destination 1.1.1.1 allow
You are already reading Understanding NAT-4.1-RevC, this should give you more insight into its working. Hope this helps. Thank you.
12-02-2014 08:53 PM
Just an heads-up, if you have any internal server to access from LAN: How to Configure U-Turn NAT
Thanks
12-30-2014 03:50 PM
As ssharma mentioned, Destination NAT configuration can be tricky.
Here's a video tutorial that guides you through its configuration.
Bi-Directional rules are not one of my favorite features, it attempts to simplify configuration and by doing so obscures sections of the configuration. If you choose to use Bi-Directional NAT rules, make sure to review the rules that have been implicitly created with command:
> show running nat-policy
Source NAT is pretty straightforward. One gotcha is that if you're trying to ping (or terminate any connection on one of the firewall's own interfaces), your source IP may be changed with the NAT policy, resulting in a LAND attack, thus having packets dropped. Make sure to configure No-NAT rules for connections that are intended to terminate in the firewall's own interfaces.
12-31-2014 02:40 PM
I also like to keep things simple. Let a NAT rule be a NAT rule and let the security rule handle hte security. That is I try not to use ports in my NAT rules, especially since I write my security rules using application and not specific ports.
01-01-2015 05:12 AM
You can keep it simple as you like if you have enough nat address space that you don't need to share addresses to the multiple servers. We just don't always have that luxury.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
