PA Destination NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA Destination NAT

L1 Bithead

I have a use-case that all subnets/VLANs should be able to access the server (192.168.4.4) via HTTP using the loopback IP address 192.168.6.2/32.

 

The PA firewall is the gateway for all the VLANs. I would like to confirm if this is possible? The source will be VLAN 5 or VLAN 10 and destination is VLAN 20's loopback IP 192.168.6.2/32 using HTTP service then the PA should redirect the traffic to VLAN 30's 192.168.4.4 address.

 

Thanks

2 REPLIES 2

Hi @Nikko,

If I understand correctly what you are asking it is possible yes.

 

set rulebase nat rules Web-Server-Destination-NAT to loopback-zone
set rulebase nat rules Web-Server-Destination-NAT from [ vlan5-zone vlan10-zone]          # or select any if
set rulebase nat rules Web-Server-Destination-NAT source any                                            
set rulebase nat rules Web-Server-Destination-NAT destination loopback_192.168.6.2
set rulebase nat rules Web-Server-Destination-NAT service any
set rulebase nat rules Web-Server-Destination-NAT destination-translation translated-address server_192.168.4.4

 

In addition you need to create allow rule:

set rulebase security rules Access-to-Web-Server profile-setting group default
set rulebase security rules Access-to-Web-Server to [ server-zone ]
set rulebase security rules Access-to-Web-Server from [ vlan5-zone vlan10-zone]
set rulebase security rules Access-to-Web-Server source any
set rulebase security rules Access-to-Web-Server destination [ loopback_192.168.6.2 ]
set rulebase security rules Access-to-Web-Server application [ web-browsing ]
set rulebase security rules Access-to-Web-Server service application-default
set rulebase security rules Access-to-Web-Server action allow
set rulebase security rules Access-to-Web-Server log-setting default

 

You need to note couple of thinks:

- In the security rule you need specify the destination zone where your web server is located.

- In the security rule you need to specify the destination address of your loopback, aka the destination address before the NAT (users will use the loopback to access the server)

- In the NAT rule you need to specify the destination zone where your loopback interface is located. This is because the NAT is evaluated first and applied later. Which means that when the original packet (from user) hit the firewall, FW will use the original destination IP (in this case the loopback) to determine which is the destination zone

 

 

By the way - based on your network setup it is not necessary to have the IP as loopback on the FW to use it in NAT. Your devices only need to know to route 192.168.6.2 to the firewall (either with specific or default route)

Cyber Elite
Cyber Elite

hi @Nikko 

 

yes, this is possible

 

the NAT rule will look like

2021-05-11_12-11-14.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2344 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!