For details on cookie usage on our site, read our Privacy Policy
New to PAN - coming from ASA - NAT nightmares
- LIVEcommunity
- Discussions
- General Topics
- New to PAN - coming from ASA - NAT nightmares
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 09:44 AM
Hi guys,
I have come from Cisco ASAs whereby it is super easy to create port forwarding/translation - really useful when only have single public IP.
object network web-server
host 192.168.1.10
nat (inside,outisde) static interface service tcp 80 80
access-list outside extended permit any object web-server eq 80
I am finding this impossibly difficult on the Palo! I have created a NAT as follows:
"INBOUND WWW; index: 4" {
nat-type ipv4;
from untrust;
source any;
to untrust;
to-interface ethernet1/1 ;
destination a.b.c.d;
service [ tcp/any/80 tcp/any/8080 ];
translate-to "dst: 172.22.1.10:80";
terminal no;
"UNTRUST TO WEB SERVER; index: 6" {
from untrust;
source any;
source-region none;
to trust;
destination a.b.c.d
destination-region none;
user any;
category any;
application/service web-browsing/tcp/any/80;
action allow;
icmp-unreachable: no
terminal yes;
Access to the webserver is not working and there is nothing in the live traffic logs - I'm sure I am doing something stupid if someone could hlpe...
Cheers,
Darren
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 10:01 AM
That's how you need to configure your policy in ordert to allow inbound traffic to your Web Server.
NAT Policy Example
Security Policy Example
Now if you need your WebServer to also access the Internet (Bidirectional) I can give another example, then the NAT policy will work a little bit different.
Let me know how it goes.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 09:51 AM
Fixed it - wrong zone <blush> 🙂
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 10:01 AM
That's how you need to configure your policy in ordert to allow inbound traffic to your Web Server.
NAT Policy Example
Security Policy Example
Now if you need your WebServer to also access the Internet (Bidirectional) I can give another example, then the NAT policy will work a little bit different.
Let me know how it goes.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 10:15 AM
Hey thanks for this Willian!
I used the "application (web-browsing)" ID and it worked.
Basically, I am getting used to the PAN zonal configuration that the ASA has no concept of. It's a learning curve but will be worth it.
Best regards,
Darren
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-20-2017 10:16 AM
The web server does have a dynamic NAT (overload) policy configured. Is there a better way?
Thanks in advance,
Darren
- Azure SAML double windows to select account in GlobalProtect Discussions
- Internet1 interface not coming up after enabling bypass pair on ION 3000 in Prisma SD-WAN Discussions
- Extract Indicator in XSOAR in Cortex XSOAR Discussions
- Discard UDP from Paloalto Session TImeout in General Topics
- LACP interface ethernet1/24 moved out of AE-group ae1 in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
