- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-03-2014 11:58 AM
I am trying to create a webpage to display the video stream of two of our IP Cameras.
The page works perfectly from inside the network but not from outside the network.
I think I need to set up some kind of port forwarding rule on my Palo Alto and then program that into the web page, but am not sure how to accomplish this on the Palo Alto.
Thanks,
Mike
06-03-2014 12:28 PM
Sorry but I am still not sure what I am supposed to do here.
06-03-2014 12:34 PM
You'll want to create a Destination NAT rule using the doc that was linked. If you're trying to do port forwarding, you would just need to specify what port (service) it is coming in on, and what port you want it to go to internally.
For example, if you want to translate port 80 hitting your public IP of 192.0.2.50 to port 8080 on your internal server address of 172.16.1.1:
Original Packet Tab
Source Zone: Untrust
Destination Zone: Untrust
Destination Interface: Any (or the public interface)
Service: Define a new service or use the pre-configured "service-http"
Source Address: Any (or a list of IPs you want to connect from)
Destination Address: 192.0.2.50
Translated Packet Tab:
Source Address Translation:
None
Destination Address Translation:
Translated Address: 172.16.1.1
Translated Port: 8080
You'll also need an associated security rule to allow the traffic from the Untrust zone to the Trust zone, destination IP is 192.0.2.50.
Hope this helps,
Greg
06-05-2014 12:21 AM
Check NAT and PAT rule.
may be helpful for you.
Dynamic NAT translation using IP and port
To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address.
This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the rulebase
hierarchy.
How to configure dynamic port NAT
admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# edit rulebase nat
[edit rulebase nat]
admin@PA-5050# set rules trust-to-untrust description "Dynamic PAT"
[edit rulebase nat]
admin@PA-5050# admin@PA-5050# set rules trust-to-untrust from trust to untrust destination any service any source any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 200.1.1.1/30
[edit rulebase nat]
admin@PA-5050# commit
....55%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no virtual-router configuration.
Interface ethernet1/2 has no virtual-router configuration.
[edit rulebase nat]
admin@PA-5050#
Setup virtual-router to route packets
Create static default route by first creating virtual router, treat virtual-router like a router process, you need to include interfaces that is available for virtual-router. the virtual-router is located under network
hierarchy.
[edit rulebase nat]
admin@PA-5050# top
[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/1
[edit]
admin@PA-5050# set network virtual-router static-route interface ethernet1/2
Take note that static-route
is a name I defined for virtual-router, there is a default
profile which you can use if you want.
Define the default routes with the static-route
profile.
admin@PA-5050# set network virtual-router static-route routing-table ip static-route static-default-route interface ethernet1/1 nexthop ip-address 200.1.1.2
admin@PA-5050# commit
....55%99%.....100%
Configuration committed successfully
[edit]
admin@PA-5050#
Take note that static-default-route
is the routing-table profile I have created, you can create any name you want
06-10-2014 12:44 AM
Thanks gwesson - This is exactly what I was looking for while migrating config from Juniper to PAN firewall :smileycheck:. Can I use security policy based on app-id e.g. web-browsing for http or do I need to use service since service has been used in NAT policy configuration?
06-10-2014 09:09 AM
You can use either or both. If you use application, it's more broad and covers more than just a port. You can use a service- (port-) based policy if you want to make it work more like a basic firewall. In general I use applications since it gives much more coverage. You can even use both (or the "application-default" service) if you want to lock it down even further.
There are no restrictions though, the NAT and Security policies are independent.
-Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!