01-23-2012 11:45 PM
Hello,
I have a PA-500 and need to setup some NAT Translation so external users can access some internal web and VMware View Servers in my lab.
Since my Ethernet1/1 (WAN) has to be setup as a DHCP Client, what do I use in the "Originating Packet" - "Destination Address"?
I was able to trick it by creating an address entry and specifying the IP I currently have, but if that changes, this NAT rule will not work until I change to the new address.
Is there a way to tell the unit to use whatever the IP is on the untrust zone?
Any help appreciated.
01-24-2012 01:20 PM
That is referred to as Destination NAT (or Static NAT in the wild), we cannot point to DHCP interface IP addresses in destination NAT or address objects. As a workaround, we need to know what IP address we receive from the DHCP server and manually configure that IP address in our configurations.
1. Goto Objects->Addresses
2. Click Add, choose IP Netmask and type in the IP address of the DHCP interface.
3. Use this address object in your NAT configurations.
I hope this helps a little.
01-24-2012 01:20 PM
That is referred to as Destination NAT (or Static NAT in the wild), we cannot point to DHCP interface IP addresses in destination NAT or address objects. As a workaround, we need to know what IP address we receive from the DHCP server and manually configure that IP address in our configurations.
1. Goto Objects->Addresses
2. Click Add, choose IP Netmask and type in the IP address of the DHCP interface.
3. Use this address object in your NAT configurations.
I hope this helps a little.
01-24-2012 04:51 PM
Thanks for the reply, I appreciate it.
I come from the Juniper world. On the SRX, if you are using DHCP on the WAN conenction, you basically specify the Destination-Address as 0.0.0.0/0 and it will use whatever ip address is assigned to teh WAN interface via DHCP.
Heres a snippet of my original Juniper SRX config (Which has been replaced by the PA-500)
Example of Destination NAT rule:
rule-set Incoming {
from zone untrust;
rule RDP_3389 {
match {
destination-address 0.0.0.0/0;
destination-port 3389;
Example of Security policy to allow RDP traffic in:
policy rdp-in-vmutils01 {
match {
source-address any;
destination-address vmutils01;
application RDP3389;
}
then {
allow;
log {
session-init;
session-close;
In this scenario, even if the wan ip changes, all destination NATs will still function provided I have Dynamic DNS configured correctly on my end.
Thanks again. Is there any way to add that as a feature request? and if so, whats the procedure?
01-25-2012 03:38 AM
I've got the same setup on my PA-200. I have solved this problem by created an addess object with my dyn-dns address, and use that in my nat policy(as the orginal packet - destination address). Provided your pa has the serivce route for dns set correctly, this seems to be working fine.
01-26-2012 02:10 PM
Also, for the record, in order to put in a Feature Request, you need to contact your reseller or local SE, and they can handle that for you.
04-26-2012 09:26 PM
Thanks, that works really well.
11-16-2012 12:37 PM
I can't believe there isn't an easy way to specify this in this product since both Cisco and Juniper support pointing to a DHCP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
