New to Palo Alto from Juniper SSG

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

New to Palo Alto from Juniper SSG

L2 Linker

I was wondering if someone could enlighten me on how to replicate the Mapped IP functionality from Juniper SSG to Palo Alto.

We have a number of services on our current Juniper SSG.  The way we firewall these services is using MIP's on the Untrust Zone then the traffic passing from Untrust to Trust using standard juniper policies.  I was playing around with the Palo Alto and it seems its as easy as setting up an address on the Untrust Zone and Trust Zone.  Then allowing the traffic based on the App-ID.  Can someone explain this to me please?

Apologies for the noob question.  But gotta start somewhere eh?

Cheers

9 REPLIES 9

L5 Sessionator

Hi Gavin,

Yes, you will achieve this with both NAT and security policy. NAT policy will let you define the mapped ports and IP. That means if some-one comes for 1.1.1.1 on 443 translate it to 192.168.10.1 on 4443. Then on security policy you would say access to 1.1.1.1 is possible only with ssl application.

So if someone wants to access 1.1.1.1 anything other than ssl, it will be denied.  NAT on PA device is little different and unconventional. You can follow following documents for further information :

Video Link : 1550

Video Link : 1438

Please note that destination NAT might be bit different as the zones are determined as per routing on pre-natted address. Hope this helps. Thank you

L5 Sessionator

GavinPalmer

Welcome to forums.

I might be wrong but I think in screen OS you specified the NAT in the security policy itself which was from Untrust to Trust if your server is located in Trust.

But in PaloAlto, you will be creating two policies one for NAT and the other for security policy and the tricky part being NAT policy will be from Untrust to Untrust with destination as public IP of your server. Also the security policy will be from Untrust to Trust with destination as public IP of your server.

Let us know if you face any issues.

L7 Applicator

In ScreenOS on the SSG the MIP is a bidirectional static nat object mapping one ip address to another.  In PanOS you use the "Static nat" option to achieve the same result in your nat rule.

What does the Bi-Directional NAT Feature Provide?

When creating the static nat rule write the rule from the perspective of your internal server going out to the external zone.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I believe Steven is correct.

Also, welcome to PANOS. Smiley Happy I used to have to manage a couple SSGs back in the day. I found it to be painful.

Hi Steve,

Ok thats great.  I have created the static NAT policy but now need to create a security policy for it.  will the direction of the sec policy be Untrust to Trust or Untrust to Untrust?  For example, to allow smtp to our exchange server, this comes in over a static public IP.  So should the security policy read, Untrust <ANY> -> Trust <exchange_internal> or Untrust <ANY> -> Untrust <exchange_public_ip>

Thanks

Hi Gavin,

Security policy should be Untrust to Trust.

And unidirectional NAT should be Untrust to Untrust.

If its bi-directional NAT than, it should be Trust to untrust.

Regards,

Hardik Shah

I do have a bi-directional NAT setup for smtp.  but how can the traffic be trust to untrust when smtp mail flow comes in from the untrust zone?  I dont understand this. 

Hello Gavin,

If you create one Bi-directional NAT, PAN breaks the NAT rule into two which looks like this(Bidirectional from Trust to Untrust):

"Trust-Untrust-Bidirectional NAT" {

        from trust-L3;

        source 192.168.18.1;

        to untrust-L3;

        to-interface  ;

        destination any;

        service  any/any/any;

        translate-to "src: 10.10.10.10 (static-ip) (pool idx: 5)";

        terminal no;

}

"Trust-Untrust-Bidirectional NAT" {

        from any;                                                  

        source any;

        to untrust-L3;

        to-interface  ;

        destination 10.10.10.10;

        service  any/any/any;

        translate-to "dst: 192.168.18.1";

        terminal no;

}

This can be seen in the CLI command "show running nat-policy".

Regards,

Dileep

Can you give an example for DIP NAT policy & security  policy, MIP i undestand with your below comment. also DST with NAT & SEC policy

 

  • 9449 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!