Port forward does nt seem to work

Reply
myrdin
L2 Linker

Port forward does nt seem to work

HI

 

imagine this scenario:

 

Internet 1.1.1.1 PA 2.2.2.1  ----  2.2.2.2 ROUTER 3.3.3.0/24 network

 

I am forwarding all packets received to 1.1.1.1 https to 2.2.2.2 https which then re-nat to 3.3.3.0/24 host

 

With a stupid dlink 50$ router instead of the PA, everything works. I just forward https to 2.2.2.2 and it works. with the Palo, no way.

 

In the Palo i have also have another network interface (say 4.4.4.0/24) and i forward other ports to hosts in the 4.4.4.0/24 and everything works, but if i forward to the 2.2.2.2 which then re-nat to 3.3.3.0, it does not work. And i cannot see any errors on the PALO.

 

I have done these configuration multiple times (i mean just publishing servers etc...). Any suggestions?

 

How do i troubleshoot NAT? is there a way to see the NAT translations on the PALO? 

 

thanks

reaper
L7 Applicator

Hi

 

Did you make sure the [2.2.2.2/3.3.3.0/24] router has it's default gateway set to 2.2.2.1 and the 3.3.3.X host has default gw to the [2.2.2.2/3.3.3.0/24] router

would you mind sharing more details about your config ?

 

you could try setting a source/destination nat so behind the PANW the ip's would be src:2.2.2.1 dst:2.2.2.2 (to ensure 3.3.3.x knows how to route back

 

did you make sure to set the zones in your NAT rule as 'untrust to untrust' ?

zone membership is determined by looking at the routing table, so the pre-nat packet will have a source IP from the untrust zone (default gateway out to the internet) and a destination ip in the untrust zone (ip attached to the untrust interface)

 

2016-08-19_14-37-10.jpg

 

security policy will still be untrust to trust, destination address still being pre-nat though

2016-08-19_14-40-53.jpg

 

 

you can verify NAT being applied to a session by looking up the session information :

> show session id 2275

Session            2275

        c2s flow:
                source:      198.51.100.10 [v1-untrust]
                dst:         198.51.100.1
                proto:       17
                sport:       53797           dport:      53
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      10.0.0.5 [lab]
                dst:         198.51.100.10
                proto:       17
                sport:       53              dport:      1472
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown


        start time                           : Fri Aug 19 14:21:21 2016
        timeout                              : 31 sec
        total byte count(c2s)                : 88
        total byte count(s2c)                : 143
        layer7 packet count(c2s)             : 1
        layer7 packet count(s2c)             : 1
        vsys                                 : vsys1
        application                          : dns  
        rule                                 : dns-inbound
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        address/port translation             : source
        nat-rule                             : nat-in(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : any
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/1
        egress interface                     : ethernet1/2
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : Aged out
        end-reason                           : aged-out

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
myrdin
L2 Linker

Hi,

 

thanks heaps for your answer.

 

Yes so router 2.2.2.2 has default route to 2.2.2.1, host on the 3.3.3.0/24 network have the right gateway. Please note that with a "dumb" router in which i simply create forward rules to 2.2.2.2 everything works. Basically the dumb router is configured exaclty as the Palo, but there is obviously something the Palo is doing more that is preventing that to work.

 

I have other destination NAT rules that are working on the same PALO (i know you have to define untrust/untrust in the destination NAT). The difference is that the destiation NAT that are working are going to an network directly attached to the PALO. In example:

 

1.1.1.1 PALO 5.5.5.1 ---- 5.5.5.2 host

 

the desintation NAT 1.1.1.1 to 5.5.5.2 WORKS in the PALO

 

what it does not work is the one originally posted so 1.1.1.1 PALO 2.2.2.1 --- 2.2.2.2 DUMBROUTER 3.3.3.1 ---- 3.3.3.2 Forwarding 1.1.1.1 to 2.2.2.2 which in turns forwards to 3.3.3.2 does not work. With a dumb router instead of the PALO which forwards packets received to 1.1.1.1 to 2.2.2.2 which in turns forward to 3.3.3.2 it works.

 

I am suspecting the PALO is not forwarding the same way the dumbrouter does and the patckets that the DUMBROUTER receives are different from what a "normal" router does.

 

Unfortunately i cannot share the config. If you have any other ideas, i can put in my queue but i have very limited time for testing as when we switch to the PALO we have very limited time to make things working before reverting back

 

but thanks

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!