This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Problem with new internet connection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with new internet connection

WLitdepartment
L0 Member

‎09-12-2013 01:04 PM

I've just changed my internet connection to a new one.

Now I've reconfigured everything with the new address.

The issue is that I can surf the web from inside to outside but the NAT to my internal server is someway blocked.

What I can see in logs is:

I really don't know how to solve this issue.

The routing table is correct, but it seems that something is going wrong.

If I add a rule in security saying to pass everything nothing happens, but the error changes to "incomplete".

Can anyone help me?

Thanks a lot.

Pietro

0 Likes Likes
16 REPLIES 16

kprakash
L5 Sessionator

‎09-12-2013 01:12 PM

Are we still using the older public IP address for the server for doing the destination NAT? If so, then this IP doesnt lie on the subnet of the new IP address.

Please follow the steps in the below doc that explains how to circumvent this issue.

https://live.paloaltonetworks.com/docs/DOC-4034

Thanks and best regards,

Karthik RP

HULK
L7 Applicator

‎09-12-2013 01:18 PM

Hello,

Could you please click into the "magnifying glass" button and share the output.

NAT-drop.JPG.jpg

Thanks

kprakash
L5 Sessionator

‎09-12-2013 01:19 PM

Found one more link provides a more accurate solution to our situation.

Destination NAT for a Network not Connected to the Firewall

WLitdepartment
L0 Member
In response to kprakash

‎09-12-2013 01:26 PM

Karthik, thank for the quick response.

I've tryied with the document:

But still no luck:

WLitdepartment
L0 Member
In response to WLitdepartment

‎09-12-2013 01:26 PM

WLitdepartment
L0 Member
In response to WLitdepartment

‎09-12-2013 01:29 PM

Yep. Thank you too, Hulk:

WLitdepartment
L0 Member
In response to WLitdepartment

‎09-12-2013 01:31 PM

For your convenience the NAT is the following:

0 Likes Likes

WLitdepartment
L0 Member
In response to WLitdepartment

‎09-12-2013 01:33 PM

With the following destination address translation:

And this virtual router:

0 Likes Likes

WLitdepartment
L0 Member
In response to WLitdepartment

‎09-12-2013 01:33 PM

Sorry, this is the nat:

0 Likes Likes

hshah
L6 Presenter
In response to WLitdepartment

‎09-12-2013 01:38 PM

Hi WLitdepartment ,


46.140.150.154 is the interface IP address, hence regular static Nat will not work, you will have to configure port address translation.

Please share access rule and NAT statement with us.

Regards,

Hardik Shah

0 Likes Likes

kprakash
L5 Sessionator
In response to WLitdepartment

‎09-12-2013 01:49 PM

Thanks for the clarification,

Per the screenshots, it appears that the users are connecting on port 443, whereas the destination NAT rule configured is for port 25. Can you remove the port 25 from the NAT rule ( Destination NAT to any port) , to see if it makes a difference?

IN addition, I see that the traffic is being identified as "not-applicable". We usually see "not-applicable" when we are filtering based on service ports too. So for testing purpose, please modify the inbound traffic policy to permit traffic from outside to inside, with source address any, destination address as 46.140.150.154,  application set to ssl and smtp, and remove the service-port 25, and action allow.

0 Likes Likes

hshah
L6 Presenter
In response to WLitdepartment

‎09-12-2013 01:50 PM

Traffic coming over port 443 while policy is configured for 25, please add port 443.

0 Likes Likes

HULK
L7 Applicator
In response to WLitdepartment

‎09-12-2013 01:50 PM

Hello,

From the traffic logs it looks like:

1.  Traffic coming from IP 95.227.104.14 to destination IP- 46.140.150.154 with Dst port 443.

2. As per the NAT rule,  the same destination IP- 46.140.150.154 with Dst port 443 should translate to 192.168.0.220 with dst port 25.

3. For this traffic,  Application is showing "Not-applicable"

Could you please modify your existing security policy and add "any" instead of any specific application and share the expanded output.

Please also share your security policy and NAT original packet  o/p.

Thanks

0 Likes Likes

WLitdepartment
L0 Member
In response to HULK

‎09-12-2013 01:53 PM

Yep, I was not so clear.

I'm trying a connection via https (owa) and mail (port 25).

This was my misunderstanding.

I'm completing a revert to the prevoiuos set of rules, to test the previous configuration.

In a while I'll add all of your requests.

0 Likes Likes
  • 6986 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks