This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Question about Security Policies and NAT

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Question about Security Policies and NAT

dshue
L2 Linker

‎10-10-2011 01:13 PM

I'm working on developing my rule base prepping for implementation.  I'm noticing that alot of my inbound rules, ie:

Where the destination in an address object with my internal IP.  Now of course I have NAT rules to statically NAT the traffic inbound and outbound.  Outbound (handled by another rule), the log shows the internal IP address as the source IP.  However, for inbound traffic the log shows the destination IP as the NAT address and does not catch on the rule above.  Looking at the details of the log it shows that it is being NAT'd correctly and what not.  Is this normal behavior?  Do I need two objects (even though I know I don't need an object) for each IP, an external object and an internal object?  Should the rule above contain the destination object of the external IP?

Just FYI, this behavior didn't always seem to be the case.  As I went back through my logs I saw where it look as though this rule was catching as it should have been.  Recently I went from one VR to three VRs to handle redundant ISPs.  Could this be the reason we see it logged this way?

TIA,

Daniel

0 Likes Likes
2 REPLIES 2

bpappas
L6 Presenter

‎10-10-2011 01:37 PM

yes, the inbound traffic will need to use a security policy with an address object that uses the external (public) IP address.

-Benjamin

gswcowboy
L6 Presenter

‎10-10-2011 01:37 PM

Inbound connection for security policy should reflect the destination's public ip. Nat rule will dnat it to a private address. Perhaps that's the reason for the logging discrepancy. Also, I would put your inbound NAT above your source nat rule for outbound access. It'd be nice to be able to look at your session table if this issue perists, however.

  • 1952 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks