port forwarding external to internal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

port forwarding external to internal

Not applicable

Hi,

i just want to create a "easy" port forwarding rule from external (public ip), port 52516 to a internal server port 52516, but i can´t get it done on a PA-2050. it´s a web-service running on that internal server....

i´ve created a service/application for that tcp-port, i´v created a PBF-Rule and a port-based NAT rule, but it´s not working at all.

is there a guide/howto ?!?

regards

René

1 accepted solution

Accepted Solutions

wolfgang.paul already did that in the first post.

This is how I interpret what Wolfgang wants to do:

Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).

This is what you need to do to accomplish the above:

1) Setup a DNAT rule in Policies -> NAT:

Original packet:

srczone: Internet

dstzone: Internet

dstinterface: int1 (or wherever you have Internet connected)

srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)

dstadr: <internetip>

service: TCP52516

Translated packet:

srctrans: none

dsttrans: <dmzip>:52516

2) Setup a security rule that will allow the translated traffic:

If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):

srczone: Internet

dstzone: DMZ

srcadr: 0.0.0.0/0

dstadr: <dmzip>

appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)

service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").

action: allow (and log on session start as debug which later can be changed to just on session end)

View solution in original post

10 REPLIES 10

L4 Transporter

Hi Rene,

can you post a screenshot of your Security Rule and NAT Rule ? Usually a PBF rule is not required for this purpose.

Roland

here we go...see jpg attached!

Zone "Internet" = external, public ip-adress

Zone "Fritzbox" = internal. 192.168.178.0/24

Adress "Public-IP" = public ip

Adress "Alarmanlage" internal host 192.168.178.22

Service "alarm" = service tcp/52516

Application "alarm" = application tcp/52516

i think the nat-rule does´nt need to be explained. the security-rule is split into external an internal part. external means all traffic from internet to the external interface with the public ip for service "alarm", internal means all traffic in zone "fritzbox" for host-adress "Alarmanlage" and Application "alarm"....and "ping" just for testing

btw: the "fritzbox" as device is used as switch between pa-2050 and the "alarmanlage"...there´s no pptp-dialup! 🙂

Hello Wolfgang,


well I believe there are some errors in the NAT and the Security Rule:


For the NAT:

Source Zone: Internet , Destination Zone: Internet , Source Address: any , Destination Address: Public-IP , Service: alarm , Destination Translation: Alarmanlage


For the Security Policy (Alarmanlage extern):
Source Zone: Internet , Destination Zone: Fritzbox , Destination Address: Public-IP , Application: any , Service: alarm


Once this works you can test your custom "alarm" App in your sec. rule.

Hope this helps.

What kinf of translation should be set?

The above explained solution doesn't work in my scenarion.

Please describe your scenario to us, so we can help you determine what type of NAT and security rules you'll need.

wolfgang.paul already did that in the first post.

This is how I interpret what Wolfgang wants to do:

Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).

This is what you need to do to accomplish the above:

1) Setup a DNAT rule in Policies -> NAT:

Original packet:

srczone: Internet

dstzone: Internet

dstinterface: int1 (or wherever you have Internet connected)

srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)

dstadr: <internetip>

service: TCP52516

Translated packet:

srctrans: none

dsttrans: <dmzip>:52516

2) Setup a security rule that will allow the translated traffic:

If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):

srczone: Internet

dstzone: DMZ

srcadr: 0.0.0.0/0

dstadr: <dmzip>

appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)

service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").

action: allow (and log on session start as debug which later can be changed to just on session end)

Thank you mikand, your answer was exactly what I was looking for.

I will be installing our new PA next week.  It does seem there are some subtle, and not so subtle, differences between these units and other firewalls.

So why is the nat rule "Source Zone: Internet , Destination Zone: Internet"?

Is there a quick list of steps for publishing an internal server?

Thanks,

Bob

As you see in the nat-rule there is a small header of "original packet" vs "translated packet".

The "original packet" is what the PA should look for, and "translated packet" is what to do when the packet is found.

The security rule then acts on the "translated packet" in this case.

You can check the PAN Packet Flow document for details on how the packets are being mangled in the dataplane: https://live.paloaltonetworks.com/docs/DOC-1628

Hi Bob,


To answer your question of why "Source Zone: Internet , Destination Zone: Internet"?  Such a NAT policy would be defined to allow traffic from your Internet Zone to a server on one of your Internal Zones.  NAT policies are created with the pre-NAT IP addresses in mind.  In other words, when configuring NAT rules, we think of how PAN sees the incoming packet before NAT is applied.  Since the source IP will be a random public IP in most cases, PAN knows that public IP addresses are situated on the Internet Zone (because the default route would be pointing out the Internet Zone interface).  Hence we select Internet as the source zone.  For destination zone, when a packet comes in, the destination IP address would also be a public IP address.  Hence we select Internet zone again as the destination zone keeping in mind that before NAT is applied, the destination IP address belongs to the Internet zone interface.

You can refer to the following document for how NAT is setup on PAN:

Example #2 illustrates to to configure NAT for an internal server.  Again the point to remember when configuring NAT rules is: Consider where the pre-NAT ip-addresses are situated with respect to PAN.


Thanks,

Ahsan

  • 1 accepted solution
  • 16256 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!