Problem with new internet connection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problem with new internet connection

L0 Member

I've just changed my internet connection to a new one.

Now I've reconfigured everything with the new address.

The issue is that I can surf the web from inside to outside but the NAT to my internal server is someway blocked.

What I can see in logs is:

I really don't know how to solve this issue.

The routing table is correct, but it seems that something is going wrong.

If I add a rule in security saying to pass everything nothing happens, but the error changes to "incomplete".

Can anyone help me?

Thanks a lot.

Pietro

16 REPLIES 16

L5 Sessionator

Are we still using the older public IP address for the server for doing the destination NAT? If so, then this IP doesnt lie on the subnet of the new IP address.

Please follow the steps in the below doc that explains how to circumvent this issue.

https://live.paloaltonetworks.com/docs/DOC-4034

Thanks and best regards,

Karthik RP

L7 Applicator

Hello,

Could you please click into the "magnifying glass" button and share the output.

NAT-drop.JPG.jpg

Thanks

L5 Sessionator

Found one more link provides a more accurate solution to our situation.

Destination NAT for a Network not Connected to the Firewall

Karthik, thank for the quick response.

I've tryied with the document:

But still no luck:

Yep. Thank you too, Hulk:

For your convenience the NAT is the following:

With the following destination address translation:

And this virtual router:

Sorry, this is the nat:

Hi

46.140.150.154 is the interface IP address, hence regular static Nat will not work, you will have to configure port address translation.

Please share access rule and NAT statement with us.

Regards,

Hardik Shah

Thanks for the clarification,

Per the screenshots, it appears that the users are connecting on port 443, whereas the destination NAT rule configured is for port 25. Can you remove the port 25 from the NAT rule ( Destination NAT to any port) , to see if it makes a difference?

IN addition, I see that the traffic is being identified as "not-applicable". We usually see "not-applicable" when we are filtering based on service ports too. So for testing purpose, please modify the inbound traffic policy to permit traffic from outside to inside, with source address any, destination address as 46.140.150.154,  application set to ssl and smtp, and remove the service-port 25, and action allow.

Traffic coming over port 443 while policy is configured for 25, please add port 443.

Hello,

From the traffic logs it looks like:

1.  Traffic coming from IP 95.227.104.14 to destination IP- 46.140.150.154 with Dst port 443.

2. As per the NAT rule,  the same destination IP- 46.140.150.154 with Dst port 443 should translate to 192.168.0.220 with dst port 25.

3. For this traffic,  Application is showing "Not-applicable"

Could you please modify your existing security policy and add "any" instead of any specific application and share the expanded output.

Please also share your security policy and NAT original packet  o/p.

Thanks

Yep, I was not so clear.

I'm trying a connection via https (owa) and mail (port 25).

This was my misunderstanding.

I'm completing a revert to the prevoiuos set of rules, to test the previous configuration.

In a while I'll add all of your requests.

  • 7061 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!