NAT Translation to web server in 4.1.2 when WAN in DHCP Client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT Translation to web server in 4.1.2 when WAN in DHCP Client

L0 Member

Hello,

I have a PA-500 and need to setup some NAT Translation so external users can access some internal web and VMware View Servers in my lab.

Since my Ethernet1/1 (WAN) has to be setup as a DHCP Client, what do I use in the "Originating Packet" - "Destination Address"?

I was able to trick it by creating an address entry and specifying the IP I currently have, but if that changes, this NAT rule will not work until I change to the new address.

Is there a way to tell the unit to use whatever the IP is on the untrust zone?

Any help appreciated.

1 accepted solution

Accepted Solutions

L7 Applicator

That is referred to as Destination NAT (or Static NAT in the wild), we cannot point to DHCP interface IP addresses in destination NAT or address objects. As a workaround, we need to know what IP address we receive from the DHCP server and manually configure that IP address in our configurations.

1. Goto Objects->Addresses
2. Click Add, choose IP Netmask and type in the IP address of the DHCP interface.
3. Use this address object in your NAT configurations.

I hope this helps a little.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

View solution in original post

6 REPLIES 6

L7 Applicator

That is referred to as Destination NAT (or Static NAT in the wild), we cannot point to DHCP interface IP addresses in destination NAT or address objects. As a workaround, we need to know what IP address we receive from the DHCP server and manually configure that IP address in our configurations.

1. Goto Objects->Addresses
2. Click Add, choose IP Netmask and type in the IP address of the DHCP interface.
3. Use this address object in your NAT configurations.

I hope this helps a little.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thanks for the reply, I appreciate it.

I come from the Juniper world.  On the SRX, if you are using DHCP on the WAN conenction, you basically specify the Destination-Address as 0.0.0.0/0 and it will use whatever ip address is assigned to teh WAN interface via DHCP.

Heres a snippet of my original Juniper SRX config (Which has been replaced by the PA-500)

Example of Destination NAT rule:

rule-set Incoming {

     from zone untrust;

          rule RDP_3389 {

               match {

                    destination-address 0.0.0.0/0;

                    destination-port 3389;

Example of Security policy to allow RDP traffic in:

policy rdp-in-vmutils01 {

     match {

          source-address any;

          destination-address vmutils01;

     application RDP3389;

}

          then {

               allow;

               log {

                    session-init;

                    session-close;

In this scenario, even if the wan ip changes, all destination NATs will still function provided I have Dynamic DNS configured correctly on my end.

Thanks again.  Is there any way to add that as a feature request?  and if so, whats the procedure?

I've got the same setup on my PA-200. I have solved this problem by created an addess object with my dyn-dns  address, and use that in my nat policy(as the orginal packet - destination address). Provided your pa has the  serivce route for dns set correctly, this seems to be working fine.

Also, for the record, in order to put in a Feature Request, you need to contact your reseller or local SE, and they can handle that for you.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Not applicable

Thanks, that works really well.

L0 Member

I can't believe there isn't an easy way to specify this in this product since both Cisco and Juniper support pointing to a DHCP address.

  • 1 accepted solution
  • 4086 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!