OpenVPN to a server behind PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenVPN to a server behind PA

L1 Bithead

I have a dest NAT setup with port translation thus:

untrust untrust public IP tcp 443 > private IP tcp 1194

 

Policy set as

untrust trust any src to public IP for 443.

 

The NAT works fine, but I see aged-out on the traffic monitor, and no traffic at all on wireshark on my PA > Server LAN.

 

Am I missing something?

6 REPLIES 6

Cyber Elite
Cyber Elite

@solarstone,

Could you take a screenshot of the actual rule you have configured. 

NATNATRuleRule

@solarstone:

You hide important port of Your rules...

 

Please take a look at my example:

Security rule:

2017-11-19_154137.png

NAT rule

2017-11-19_152457.png

 

In You case in security rule insted of my ms-rdp and t.120 please put any but in service please create your own service with port 443.

In NAT as a "public IP" please put your public address of VPN serwer, as RDP 3502 please use Your serice 443. As "address k133" please put local IP (from DMZ) of Your VPN, insted of 3389 please put 1194. That's it.

 

I advice You to read carefully this article https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-PAN-OS-NAT/ta-p/60965

 

Regards

Slawek

Thanks for the response, how you describe is how I have it setup.

 

I have replicated (with diff address) the NAT, and policy rules, for an internal IIS server, and that connects fine. Hence my issue appears to be with the the ongoing LAN connection from inside the PA, to the OpenVPN server. No traffic reaches it. Whether this is a PA issue (I sense not, now) or an issue with the L2 path behind the PA on the LAN, I don't yet know.

Hello

 

I'm glad to hear that is started working.

 

If You have problem with conenction from LAN to DMZ You need to create another rules (in PaloAlto knows as U-turn rules) please read tech doc that I mention or find using search button how to create it.

 

With regatrds

Slawek

It isn't working. What I'm saying is that if I use the same NAT/Policy rules (with diff addresses) and try to connect to the IIS server using the destination NAT with port translastion, I see traffic from the PA internal LAN interface to the web server on that network.

 

When I use the same theory to connect to the OpenVPN server, there is nothing at all on the LAN between PA and OpenVPN.

 

e.g. NAT 1.2.3.4 port 443  translates to 10.1.1.2 port 1194.  From an external source, if I try to connect to 1.2.3.4:443, then the PA performs the NAT translation, the traffic is allowed, but that's where it ends. There is no traffic between PA interface 10.1.1.1 and openVPN on 10.1.1.2.

 

Hairpinning is if I'm trying to connect from inside to out, on the external address, and back in. I don't need to do this as far as I'm aware.

  • 6490 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!