ONE External IP to MANY Internal IP NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ONE External IP to MANY Internal IP NAT

L2 Linker

I believe I know the answer after looking around.

We have NATs that work fine when it is 1to1.

But what about  1 External IP that represents many Internal Hosts?  We have multiple websites that when you do a lookup in DNS, they all point to a singular public facing IP.  That public facing IP is represented by our ISA.

External                                             Internal

mysite.org - xxx.xxx.67.18          >  192.168.1.20

mysite1.org - xxx.xxx.67.18        >  192.168.1.21

mysite2.org - xxx.xxx.67.18        >  192.168.1.22

Could this be done by changing addresses (Objects > Addresses) to use FQDN instead of IP?

So the thought there would be:

2 New Objects

------------------

Name: mysite.org (outside) - FQDN: mysite.org

Name: mysite.org (inside) - IP Address: 199.168.1.20

NAT Policy

-----------------

Src: untrust

Dst: untrust

Src Addr: Any

Src Addr: mysite.org (outside)

Dst Addr Translation: mysite.org (inside)

Security Policy

-------------------

Src: Any

Dst: mysite.org (outside)

Thoughts?

7 REPLIES 7

L7 Applicator

Hello greeng,

The above mentioned setup will work fine if you are running internal servers on different port. For an example:

External                                             Internal

mysite.org - xxx.xxx.67.18 Port-80         >  192.168.1.20 -port-80

mysite1.org - xxx.xxx.67.18  port-8080      >  192.168.1.21 -port-8080

mysite2.org - xxx.xxx.67.18  port-443      >  192.168.1.22 port 443

NAT/security policy should be configures as mentioned below:

Name: mysite.org (outside) - FQDN: mysite.org

Name: mysite.org (inside) - IP Address: 199.168.1.20

NAT Policy

-----------------

Src: untrust

Dst: untrust

Src Addr: Any

Service: http/https or custom service

Destination Addr: mysite.org (outside)

Dst Addr Translation: mysite.org (inside)/192.168.1.21/192.168.1.22

Security Policy

-------------------

Src: Any

Dst: mysite.org (inside)

Hope this helps.

Thanks

L0 Member

Hi greeng,

The mentioned setup will work if you are running internal server with different private IP address. Please find the below example for the same.

External                                             Internal

mysite.org - xxx.xxx.67.18 Port-2000         >  192.168.1.20 -port-80

mysite1.org - xxx.xxx.67.18  port-2001      >  192.168.1.21 -port-80

mysite2.org - xxx.xxx.67.18  port-2002      >  192.168.1.22 port 80

NAT/security policy should be configures as mentioned below:

Name: mysite.org (outside) - FQDN: mysite.org

Name: mysite.org (inside) - IP Address: 192.168.1.20

NAT Policy

-----------------

Src: untrust

Dst: untrust

Src Addr: Any

Services : External Port ( Ex : 2000, 2001, 2002)

Destination Addr: mysite.org (outside)

Dst Addr Translation:  mysite.org (inside)

Dst port : 80

Security Policy

-------------------

Src: untrust

Dst: trust

Dst addr : mysite.org (outside)

Regards,

Sarath

L2 Linker

Thank you HULK and sbabu

I'm going to do some testing.

You are welcome. Let us know how it goes :smileygrin:

Thanks

L0 Member

Also you can use the below document for your reference

Understanding PAN-OS NAT

Page 19& 20

Thank you.

I agree with Hulk.

The only way you can do a "1 to many" NAT is via PAT.  You must set up separate ports for each connection.

L7 Applicator

This video tutorial will help you with the DNAT configuration.

Video Link : 1550

  • 4323 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!