This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

New to PAN - coming from ASA - NAT nightmares

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

New to PAN - coming from ASA - NAT nightmares

Go to solution
darren-bucknell
L1 Bithead

‎06-20-2017 09:44 AM

Hi guys,

 

I have come from Cisco ASAs whereby it is super easy to create port forwarding/translation - really useful when only have single public IP.

 

object network web-server

 host 192.168.1.10

 nat (inside,outisde) static interface service tcp 80 80

 

 access-list outside extended permit any object web-server eq 80

 

I am finding this impossibly difficult on the Palo!  I have created a NAT as follows:

 

"INBOUND WWW; index: 4" {
nat-type ipv4;
from untrust;
source any;
to untrust;
to-interface ethernet1/1 ;
destination a.b.c.d;
service [ tcp/any/80 tcp/any/8080 ];
translate-to "dst: 172.22.1.10:80";
terminal no;

 

"UNTRUST TO WEB SERVER; index: 6" {
from untrust;
source any;
source-region none;
to trust;
destination a.b.c.d
destination-region none;
user any;
category any;
application/service web-browsing/tcp/any/80;
action allow;
icmp-unreachable: no
terminal yes;

 

Access to the webserver is not working and there is nothing in the live traffic logs - I'm sure I am doing something stupid if someone could hlpe...

 

Cheers,

Darren

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎06-20-2017 10:01 AM

 

Hi @darren-bucknell

 

That's how you need to configure your policy in ordert to allow inbound traffic to your Web Server.

 

NAT Policy Example

Public-WWW.PNG

Private-WWW.PNG

 

Security  Policy Example

Security-Policy1.PNG

Security-Policy2.PNGSecurity-Policy3.PNG

 

Now if you need your WebServer to also access the Internet (Bidirectional) I can give another example, then the NAT policy will work a little bit different.

 

Let me know how it goes. 

 

 

 

 

 

 

 

View solution in original post

7 REPLIES 7

Go to solution
darren-bucknell
L1 Bithead

‎06-20-2017 09:51 AM

Fixed it - wrong zone <blush> 🙂

0 Likes Likes

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎06-20-2017 10:01 AM

 

Hi @darren-bucknell

 

That's how you need to configure your policy in ordert to allow inbound traffic to your Web Server.

 

NAT Policy Example

Public-WWW.PNG

Private-WWW.PNG

 

Security  Policy Example

Security-Policy1.PNG

Security-Policy2.PNGSecurity-Policy3.PNG

 

Now if you need your WebServer to also access the Internet (Bidirectional) I can give another example, then the NAT policy will work a little bit different.

 

Let me know how it goes. 

 

 

 

 

 

 

 

Go to solution
darren-bucknell
L1 Bithead
In response to acc6d0b3610eec313831f7900fdbd235

‎06-20-2017 10:15 AM

Hey thanks for this Willian!

 

I used the "application (web-browsing)" ID and it worked.

 

Basically, I am getting used to the PAN zonal configuration that the ASA has no concept of.  It's a learning curve but will be worth it.

 

Best regards,

Darren

0 Likes Likes

Go to solution
darren-bucknell
L1 Bithead
In response to darren-bucknell

‎06-20-2017 10:16 AM

The web server does have a dynamic NAT (overload) policy configured.  Is there a better way?

 

Thanks in advance,

 

Darren

0 Likes Likes

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter
In response to darren-bucknell

‎06-20-2017 10:40 AM

@darren-bucknell

 

No problem, you can definitely use the web-browsing App-ID. Just a heads up that if you use the service-http as service and web-browsing, you will be locking down the use of the application to port tcp/80 and tcp/8080 :). In most cases I typically leave the service field as Application-default, unless the application has a different specification.

 

If your application uses web-browsing, but do HTTP over a different port than i.e 5000, then obviously, you have to create a service object and then specify that in the service cell in the policy 🙂

0 Likes Likes

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter
In response to darren-bucknell

‎06-20-2017 10:44 AM - edited ‎06-20-2017 10:46 AM

I would simply configure it the NAT policy as bidirectional policy instead. This way, the server can receive inbound traffic and send traffic out at the same time.

 

Maybe these two articles here will help you.

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat-polici...

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-example...

0 Likes Likes

Go to solution
darren-bucknell
L1 Bithead
In response to acc6d0b3610eec313831f7900fdbd235

‎06-20-2017 11:06 AM

Thanks Willian,

 

I only have a single public IP address and have dynamic NAT rules configured for the DMZ and other subnets.  Wouldn't a biderctional NAT (only available for a static IP)  break general PAT?

 

PAN-OS certainly does things differently to Cisco ASA!

0 Likes Likes
  • 1 accepted solution
  • 3482 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks