- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-07-2014 06:29 AM
I was wondering if someone could enlighten me on how to replicate the Mapped IP functionality from Juniper SSG to Palo Alto.
We have a number of services on our current Juniper SSG. The way we firewall these services is using MIP's on the Untrust Zone then the traffic passing from Untrust to Trust using standard juniper policies. I was playing around with the Palo Alto and it seems its as easy as setting up an address on the Untrust Zone and Trust Zone. Then allowing the traffic based on the App-ID. Can someone explain this to me please?
Apologies for the noob question. But gotta start somewhere eh?
Cheers
10-07-2014 07:13 AM
Hi Gavin,
Yes, you will achieve this with both NAT and security policy. NAT policy will let you define the mapped ports and IP. That means if some-one comes for 1.1.1.1 on 443 translate it to 192.168.10.1 on 4443. Then on security policy you would say access to 1.1.1.1 is possible only with ssl application.
So if someone wants to access 1.1.1.1 anything other than ssl, it will be denied. NAT on PA device is little different and unconventional. You can follow following documents for further information :
Please note that destination NAT might be bit different as the zones are determined as per routing on pre-natted address. Hope this helps. Thank you
10-07-2014 09:00 AM
Welcome to forums.
I might be wrong but I think in screen OS you specified the NAT in the security policy itself which was from Untrust to Trust if your server is located in Trust.
But in PaloAlto, you will be creating two policies one for NAT and the other for security policy and the tricky part being NAT policy will be from Untrust to Untrust with destination as public IP of your server. Also the security policy will be from Untrust to Trust with destination as public IP of your server.
Let us know if you face any issues.
10-11-2014 04:07 AM
In ScreenOS on the SSG the MIP is a bidirectional static nat object mapping one ip address to another. In PanOS you use the "Static nat" option to achieve the same result in your nat rule.
What does the Bi-Directional NAT Feature Provide?
When creating the static nat rule write the rule from the perspective of your internal server going out to the external zone.
10-13-2014 07:21 AM
I believe Steven is correct.
Also, welcome to PANOS. I used to have to manage a couple SSGs back in the day. I found it to be painful.
10-21-2014 07:47 AM
Hi Steve,
Ok thats great. I have created the static NAT policy but now need to create a security policy for it. will the direction of the sec policy be Untrust to Trust or Untrust to Untrust? For example, to allow smtp to our exchange server, this comes in over a static public IP. So should the security policy read, Untrust <ANY> -> Trust <exchange_internal> or Untrust <ANY> -> Untrust <exchange_public_ip>
Thanks
10-21-2014 07:50 AM
Hi Gavin,
Security policy should be Untrust to Trust.
And unidirectional NAT should be Untrust to Untrust.
If its bi-directional NAT than, it should be Trust to untrust.
Regards,
Hardik Shah
10-21-2014 08:02 AM
I do have a bi-directional NAT setup for smtp. but how can the traffic be trust to untrust when smtp mail flow comes in from the untrust zone? I dont understand this.
10-21-2014 08:36 AM
Hello Gavin,
If you create one Bi-directional NAT, PAN breaks the NAT rule into two which looks like this(Bidirectional from Trust to Untrust):
"Trust-Untrust-Bidirectional NAT" {
from trust-L3;
source 192.168.18.1;
to untrust-L3;
to-interface ;
destination any;
service any/any/any;
translate-to "src: 10.10.10.10 (static-ip) (pool idx: 5)";
terminal no;
}
"Trust-Untrust-Bidirectional NAT" {
from any;
source any;
to untrust-L3;
to-interface ;
destination 10.10.10.10;
service any/any/any;
translate-to "dst: 192.168.18.1";
terminal no;
}
This can be seen in the CLI command "show running nat-policy".
Regards,
Dileep
03-19-2019 05:32 AM
Can you give an example for DIP NAT policy & security policy, MIP i undestand with your below comment. also DST with NAT & SEC policy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!