Port Forwarding Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Port Forwarding Problem

L1 Bithead

This should be fairly simple but am at wits end.  

 

I need to forward 2 ports from an external IP to an internal private ip (Ports 8088 and 22).  I found this article and am following its example:  https://nubisnovem.com/pinning-a-hole-in-palo-alto/

 

 

Public/Outside IP of PA-220 : 44.44.44.44

Internal IP: 192.168.0.222

IP I am trying to browse/connect from: 123.123.2.2

 

 

I created two Services 

Name: 8088

Protocol: TCP

Destination Port: 8088

Source Port: 1-65535

 

Name: SSH

Protocol: TCP

Desitnation Port: 22

Source Port: 1-65535

 

I created two NAT statements

Name: 8088

Source Zone: Outside

Destination Zone: Outside

Destination Interface: Any

Source Address: Any

Destination Address: 44.44.44.44

Service: 8088 

Source Translation: None

Destination Translation: 192.168.0.222

 

Name: 22

Source Zone: Outside

Destination Zone: Outside

Destination Interface: Any

Source Address: Any

Destination Address: 44.44.44.44

Service: 22

Source Translation: None

Destination Translation: 192.168.0.222

 

I also created 1 security policy

Name: PortForward

Source Zone: Outside

Source Address: Any

Destination Zone: Inside

Destination Address: 192.168.0.222

Application: Any

Service: 8088 and 22

Action: Allow

 

When I browse through a webpage to 44.44.44.44:8088 a web browser.  PA Monitor shows incomplete under application

PA2.PNG

 

 

Log Detail:

 

 

 

PA1.PNG

 

Like I said I am basing everything on the article above so there may be a better way to do it.  

Any advice is appreciated. 

6 REPLIES 6

L7 Applicator

Most likely, 192.168.0.222 doesn't have a route back to 123.123.2.2, or else it's using a different egress point.

 

A couple things you can do:

1. Make sure that 192.168.0.222 has a route to 123.123.2.2 and that it goes through the Palo Alto Networks firewall.

2. Use source NAT in addition, specifying the internal IP of the firewall. 

 

Your traffic log detail shows it just barely, 0 bytes and packets received with 62 bytes sent, probably the TCP SYN packet.

 

Best regards,

Greg Wesson

Greg,


Appreciate your response.  

 

1. I have an additional NAT from my internal zone to external its basically my NAT for internet access from my inside zone. 

Name:  Inside - Internet Access

Source Zone: Inside

Destination Zone: Outside 

Source Address:  192.168.0.0/24

Source Translation: dynamic ip and port   - 44.44.44.44

 

That should suffice from getting back to 123.123.2.2 shouldn't it?

 

2. Do I need the source NAT if I already have the above NAT?  


Again, thank you.

There is only one NAT rule that is applied for each session, so the separate Source NAT rule you provided won't get applied when the other one is.

 

Assuming L3 setup:

Run a traceroute from the internal server to the external client IP. Make sure that the MAC address of the firewall your server hits is the same one that is sourcing the traffic inbound from that external client. If not, you've got a routing issue. 

 

If you're familiar with packet captures, you can take one on the firewall (grab transmit and receive stages) at the same time as one running on the internal server. You should be able to confirm if the SYN is making it to the server, if the server is responding with the expected SYN+ACK, and if that's making it back to the firewall.

 

-Greg

@RJSCSLLC,

The following might help you a little bit more than what you found in the above article. I would look at live prior to following a random article; usually you'll find we include more information and pictures 😉

The entire article this was pulled from can be found HERE

 

Destination NAT with Port Translation Example
In this example, the web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 and TCP Port 80. The destination NAT rule is configured to translate both IP address and port to 10.1.1.100 and TCP port 8080.
 
The following NAT and security rules must be configured on the firewall:
 
 
Use the show session all CLI command to verify the translation.

Ok.  So I am still not having any luck.  For troubleshooting purposes. I installed IIS on an inside PC on the same network and set up an additional NAT for http-web browsing that works fine but still can not get port 8088 to work at all. Below Rule 1 works fine Rule 2 does not.

 

test80.PNG

 

http.PNG

 

8088.PNG

 

At this point for testing purposes I just have a permit any security policy 

any.PNG

 

What is interesting is in the monitor log the application shows as application web-browsing for when I go to port 80 and it works but it still shows as incomplete when trying 8088

 

 

permit.PNG

notworking.PNG

 

 

So to sum up.  I have a wide open security policy, 2 identical NAT statements in which the service set up is exactly the same, one for port 80 and one for port 8088.  Port 80 works fine going to 192.168.0.45 but port 8088 going to 192.168.0.222 does not.  If I get on an internal PC and browse to 192.168.0.222:8088 it works just fine so I am pretty certain there isn't an internal PC firewall blocking anything.

 

browsing to publiciip:80 works like it should but publicip:8088 does not.  

 

Not sure how else to troubleshoot.


Thanks again for any suggestions. 

@RJSCSLLC,

If you PCAP the traffic what exactly do you see. Your NAT appears to be working otherwise you wouldn't get the log, so you either don't have a return path properly setup for the traffic or the 192.168.0.222 is not setup properly so you never get a response. 

  • 4601 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!