This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Policies security and NAT are bidireccional???

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

Policies security and NAT are bidireccional???

soporteseguridad
L4 Transporter

‎07-24-2013 02:08 AM

If there is a security policy applied from just "untrust to trust" permitting SSH traffic .. this rule will be bidirectional??? or i would need to create other rule from trus to trust permitting SSH???


Its the same with NAT rules???


thanks

Labels:
0 Likes Likes
3 REPLIES 3

soporteseguridad
L4 Transporter

‎07-24-2013 02:13 AM

or i would need to create other rule from untrust to trust permitting SSH???


0 Likes Likes

kprakash
L5 Sessionator
In response to soporteseguridad

‎07-24-2013 06:43 AM

Good Morning,

From what I understand, you wanna  create a security rule from Untrust to Trust, so that people from the internet can access a server that is behind the firewall on the trust zone. If the users from the internet initiate a new ssh session to the firewall, then the firewall receives a SYN packet from the untrust to the trust zone. We need not write a new policy for the SYN-ACK from the trust to untrust to go out, and the firewall will match any the server to client traffic on ssh to the same "untrust to trust" rule that you created. So it depends upon who is initiating the session. If someone is initiating a new ssh connection from the trust zone, we would then require a policy from "trust to untrust" allowing ssh.

Bear in mind that when we have an inbound connection from the internet ( untrust to trust), the NAT rules are written slightly differently, and you may wanna refer to the destination NAT configuration as mentioned under page 15 of  the NAT tech note,

https://live.paloaltonetworks.com/docs/DOC-1517

BR,

Karthik

Gregoux
L4 Transporter

‎07-24-2013 09:08 AM

first scenario

when

a client have to established session on a server with a source NAT to the aim of masking  the ip of the client or for routing purpose. you just need a static NAT without bidirectionnal option.

second scenario

if you create a static nat with the bidirectional option  and with a destination address declared.

you have the same behaviour, but its like you create another nat rule but a destination nat rule that allow the server to initiate a connection on your client of the first scenario

that make sens?

0 Likes Likes
  • 2517 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks