02-22-2012 04:25 AM
Hi,
i just want to create a "easy" port forwarding rule from external (public ip), port 52516 to a internal server port 52516, but i can´t get it done on a PA-2050. it´s a web-service running on that internal server....
i´ve created a service/application for that tcp-port, i´v created a PBF-Rule and a port-based NAT rule, but it´s not working at all.
is there a guide/howto ?!?
regards
René
04-07-2012 01:06 AM
wolfgang.paul already did that in the first post.
This is how I interpret what Wolfgang wants to do:
Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).
This is what you need to do to accomplish the above:
1) Setup a DNAT rule in Policies -> NAT:
Original packet:
srczone: Internet
dstzone: Internet
dstinterface: int1 (or wherever you have Internet connected)
srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)
dstadr: <internetip>
service: TCP52516
Translated packet:
srctrans: none
dsttrans: <dmzip>:52516
2) Setup a security rule that will allow the translated traffic:
If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):
srczone: Internet
dstzone: DMZ
srcadr: 0.0.0.0/0
dstadr: <dmzip>
appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)
service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").
action: allow (and log on session start as debug which later can be changed to just on session end)
02-22-2012 04:37 AM
Hi Rene,
can you post a screenshot of your Security Rule and NAT Rule ? Usually a PBF rule is not required for this purpose.
Roland
02-22-2012 05:37 AM
here we go...see jpg attached!
Zone "Internet" = external, public ip-adress
Zone "Fritzbox" = internal. 192.168.178.0/24
Adress "Public-IP" = public ip
Adress "Alarmanlage" internal host 192.168.178.22
Service "alarm" = service tcp/52516
Application "alarm" = application tcp/52516
i think the nat-rule does´nt need to be explained. the security-rule is split into external an internal part. external means all traffic from internet to the external interface with the public ip for service "alarm", internal means all traffic in zone "fritzbox" for host-adress "Alarmanlage" and Application "alarm"....and "ping" just for testing
btw: the "fritzbox" as device is used as switch between pa-2050 and the "alarmanlage"...there´s no pptp-dialup! 🙂
02-22-2012 05:59 AM
Hello Wolfgang,
well I believe there are some errors in the NAT and the Security Rule:
For the NAT:
Source Zone: Internet , Destination Zone: Internet , Source Address: any , Destination Address: Public-IP , Service: alarm , Destination Translation: Alarmanlage
For the Security Policy (Alarmanlage extern):
Source Zone: Internet , Destination Zone: Fritzbox , Destination Address: Public-IP , Application: any , Service: alarm
Once this works you can test your custom "alarm" App in your sec. rule.
Hope this helps.
04-06-2012 07:38 AM
What kinf of translation should be set?
The above explained solution doesn't work in my scenarion.
04-06-2012 12:38 PM
Please describe your scenario to us, so we can help you determine what type of NAT and security rules you'll need.
04-07-2012 01:06 AM
wolfgang.paul already did that in the first post.
This is how I interpret what Wolfgang wants to do:
Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).
This is what you need to do to accomplish the above:
1) Setup a DNAT rule in Policies -> NAT:
Original packet:
srczone: Internet
dstzone: Internet
dstinterface: int1 (or wherever you have Internet connected)
srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)
dstadr: <internetip>
service: TCP52516
Translated packet:
srctrans: none
dsttrans: <dmzip>:52516
2) Setup a security rule that will allow the translated traffic:
If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):
srczone: Internet
dstzone: DMZ
srcadr: 0.0.0.0/0
dstadr: <dmzip>
appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)
service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").
action: allow (and log on session start as debug which later can be changed to just on session end)
04-07-2012 05:16 AM
Thank you mikand, your answer was exactly what I was looking for.
04-07-2012 08:00 PM
I will be installing our new PA next week. It does seem there are some subtle, and not so subtle, differences between these units and other firewalls.
So why is the nat rule "Source Zone: Internet , Destination Zone: Internet"?
Is there a quick list of steps for publishing an internal server?
Thanks,
Bob
04-09-2012 08:46 AM
As you see in the nat-rule there is a small header of "original packet" vs "translated packet".
The "original packet" is what the PA should look for, and "translated packet" is what to do when the packet is found.
The security rule then acts on the "translated packet" in this case.
You can check the PAN Packet Flow document for details on how the packets are being mangled in the dataplane: https://live.paloaltonetworks.com/docs/DOC-1628
04-09-2012 08:41 PM
Hi Bob,
To answer your question of why "Source Zone: Internet , Destination Zone: Internet"? Such a NAT policy would be defined to allow traffic from your Internet Zone to a server on one of your Internal Zones. NAT policies are created with the pre-NAT IP addresses in mind. In other words, when configuring NAT rules, we think of how PAN sees the incoming packet before NAT is applied. Since the source IP will be a random public IP in most cases, PAN knows that public IP addresses are situated on the Internet Zone (because the default route would be pointing out the Internet Zone interface). Hence we select Internet as the source zone. For destination zone, when a packet comes in, the destination IP address would also be a public IP address. Hence we select Internet zone again as the destination zone keeping in mind that before NAT is applied, the destination IP address belongs to the Internet zone interface.
You can refer to the following document for how NAT is setup on PAN:
Example #2 illustrates to to configure NAT for an internal server. Again the point to remember when configuring NAT rules is: Consider where the pre-NAT ip-addresses are situated with respect to PAN.
Thanks,
Ahsan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
