outside to inside nat tcp and udp specific?

Showing results for 
Search instead for 
Did you mean: 

outside to inside nat tcp and udp specific?

L2 Linker

i have a situation where outside users will tupe in a public ip which the palo alto will nat it into a inside privtae address like

destination "public" x.x.x.x port udp 8443   >>> translated destination "private" y.y.y.y udp 8443


,but when i tired to do it i couldnt set the tanslated address port to tcp or udp? does it take the same tcp or udp set in the original service port?

also is my config correct for this nat?



L4 Transporter

You have to have a matching firewall rule that is going to allow TCP/UDP/etc.  NAT doesn't really care about the protocol.  Also, you might want to consider using APP-ID instead of a blanket Port/Protocol statement for your inbound firewall rule.  Personally I don't like port forwarding if I can avoid it (can cause all sorts of NAT frustrations).  Get another IP from your ISP if you can.  If you have multiple services, look into a good load balancer or application delivery platform (ie - F5/Citrix offerings).

but is my nat rule correct?

if i set the original traffic coming into udp 8443 , does the translated private ip also use udp? as there is no option to use udp or tcp in the translated port 


also how the firewall rule should be for the destination? should i make the (outisde>>inside) rule destination ip the translated private ip or the public ip?


Yes as far as protocol, if its UDP then its UDP all the way from source to destination, same for TCP. Also here is a good example for NAT:




I also agree with @jeremy.larsen , let the NAT just to IP translation and let the security policy do the policing.



but how the security policy destination ip should be , is it the public ip or the translated private ip like:-

allow outisde to inside , source any ip , destination "public" or "translated private ip"???

Here is a good example of a destination NAT. I believe this is what you are looking for.




So in your case the source and destination is Outside, dont select an interface or service, destination IP is the Public IP of your server.


Translated packet: just put the internal IP of your server


Then the security policies should be Source "outside' destination inside address of the Public IP of your server and then select the application and server here.


Hope that makes sense. The picture of the rules in the link should be all you need.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!