This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
One-to-One NAT - DMZ to inside - how do I make it work?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- One-to-One NAT - DMZ to inside - how do I make it work?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
One-to-One NAT - DMZ to inside - how do I make it work?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-25-2013 08:44 PM
Folks.
I'm apparently having a particularly stupid day, because I can;t make something as simple as one-to-one NAT work.
Scenario is this.
I have an IP in my DMZ. I have assigned this IP to a particular server which is hosted on my INSIDE (secure) network.
All I want to do is take this IP address and NAT it to the inside address. Something like this
IP addresses have been changed to protect the stupid (me!).
So - request comes in from the web to 1.2.3.91, and I want to redirect it to 10.100.1.120 - only needs web browsing and PING.
but I can not, for the life of me, get it right.
I've got the following NAT rule
Original packet
Source Zone - Outside
Destination Zone - DMZ
Source Address - Any
Destination Address - 1.2.3.91
Translated Packet
Source Translation : None
Destination translation : 10.100.1.120
The security policy is as follows
Source : Outside
Source Address : Any
Destination : Inside
Destination Address : 10.100.1.120
I'm happy for anyone to point out where I'm being stupid and laugh at me - I know it's something obvious, but I'm banging my head trying to sort out what.
thanks
18 REPLIES 18
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-25-2013 10:53 PM
Can you try to add a static route for 1.2.3.91/32 reachable through DMZ interface.
Make sure the packets are being received on the firewall using traffic logs.
P.S: Without addition of this static-route ,NAT rule Outside to Outside should be able to translate these packets.
Try refreshing arp table of the upstream router.
>test arp gratuitous ip 1.2.3.91 interface <outside interface>
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-25-2013 11:57 PM
Nadir wrote:
Can you try to add a static route for 1.2.3.91/32 reachable through DMZ interface.
Make sure the packets are being received on the firewall using traffic logs.
Not sure what you mean - add a static route for 1.2.3.91/32 *where*?
I can see *one* packet (session) which made it through, at some point in the past (I've tweaked the config file so many times since then trying different options I've lost track). I've gone back through the config logs and returned the config to exactly what it was back then - once it commits, I'll try again.
Nadir wrote:
P.S: Without addition of this static-route ,NAT rule Outside to Outside should be able to translate these packets.
Try refreshing arp table of the upstream router.
>test arp gratuitous ip 1.2.3.91 interface <outside interface>
The gratuitous arp fails, vis-a-vis
Server error : cannot send gratuitous ARP
Rolling the config back did me no good at all. I'm at an absolute loss here. I *must* be doing something stupid, I just can't figure out what!
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-26-2013 12:03 AM
Please Allow the Original address 1.2.3.91 in the Security rule.
Source : Outside
Source Address : Any
Destination : Inside
Destination Address : 10.100.1.120
Change to :
Source : Outside
Source Address : Any
Destination : Inside
Destination Address : 1.2.3.91
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-26-2013 12:31 PM
Hello Darren,
Could you please provide a snapshot of traffic log for this destination ( internal server IP 10.100.1.120).
Example:
Thanks
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-26-2013 04:04 PM
akawimandan wrote:
Please Allow the Original address 1.2.3.91 in the Security rule.
Source : Outside
Source Address : Any
Destination : Inside
Destination Address : 10.100.1.120
Change to :
Source : Outside
Source Address : Any
Destination : Inside
Destination Address : 1.2.3.91
Done that. I put *both* the inside (RFC1918) address and the outside (real) address in the allowed destinations and it still didn't work. I've now put just the outside address, and still no good.
Related Content
- PA-220 console is blank in General Topics
- Can PAN gateway client config use both IP based split tunneling *and* use domain name exceptions? in GlobalProtect Discussions
- Anyone got Global Protect 6.1.0 for Linux to work on Ubuntu 22.04? in GlobalProtect Discussions
- Does Prisma Print work for Sharp and Ricoh printers/scanners? in Prisma Access Discussions
- Two ISP Connection with some of my inside network going out one of the two in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks