cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Static NAT with Port Translation

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
ammar
L2 Linker
‎09-20-2016 04:18 AM
‎09-20-2016 04:18 AM

Static NAT with Port Translation

Dears,

I'm migrating some NAT rules from Cisco ASA to PAN Firewall. I don't know how to migrate a static NAT with Port Translation like the follwing example:

 

static (dmz,outside) tcp Public_IP  443 Private_IP 80 netmask 255.255.255.255

 

this static in ASA means the outside connection will be directed to the public IP and the port of 443 and ASA will divert the request to the private IP on port.

 

do you have any on how to do over PaloAlto

0 Likes
Reply

Accepted Solutions
myrdin
L2 Linker
‎09-21-2016 02:51 PM
‎09-21-2016 02:51 PM

Nat Rule:

Source Zone: untrust

Dest Zone: untrust (same)

Dest int: none

Source address: any (you will filter by the security rule)

Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing

 

Translated Packet

Source Translation: None

Destination Translation:Private ip of the server

Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding,

 

Sec Policy:

Source Zone: untrust

Desintation Zone: trust (or the zone where the server being published sits)

Destination Address: THE PUBLIC IP assigned

Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)

 

View solution in original post

0 Likes
Reply

All Replies
TranceforLife
L6 Presenter
‎09-20-2016 04:50 AM
‎09-20-2016 04:50 AM

hello,

 

This guy helped me to understand NAT policy configuration with port translation:

 

https://www.youtube.com/watch?v=aVXzzZEgIA4

 

Thx,

Myky

Reply
bmorris1
L4 Transporter
‎09-20-2016 04:51 AM
‎09-20-2016 04:51 AM

Hi,

 

This would be a destination NAT, so you would configure a NAT rule that has an original packet source & destination zone of 'outside' , destination address of your public IP and the port the outside user is connecting to.

 

You would then configure in the translated packet part of the rule the destination side, put in the private IP & port that the traffic is to be translated to.

 

You can watch this video to help as well:

https://live.paloaltonetworks.com/t5/Videos/How-to-Configure-Destination-NAT-on-the-PAN-OS-UI/ta-p/5...

 

For the security rule, you will need to use the source zone of the pre-NAT zone, in this case 'outside' and the destination zone will be the post-NAT zone, DMZ.

 

hope this helps,

Ben

Reply
DZoquier
L1 Bithead
‎09-20-2016 06:55 AM
‎09-20-2016 06:55 AM

Remember to create the Policy rule to allow the traffic that is being NATed.  Your destination zone will be the DMZ, put your destination IP has to be the public IP.  In your configuration, you may run into an ssl issue.  The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

 

The above videos will make it clear as well.

Reply
DZoquier
L1 Bithead
‎09-20-2016 07:58 AM
‎09-20-2016 07:58 AM

Remember to create the Policy rule to allow the traffic that is being NATed.  Your destination zone will be the DMZ, but your destination IP has to be the public IP.  In your configuration, you may run into an ssl issue.  The client are requesting a secured connection on port 443 and you are serving them a non-secured connection on port 80.

 

The above videos will make it clear as well.

Reply
myrdin
L2 Linker
‎09-21-2016 02:51 PM
‎09-21-2016 02:51 PM

Nat Rule:

Source Zone: untrust

Dest Zone: untrust (same)

Dest int: none

Source address: any (you will filter by the security rule)

Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing

 

Translated Packet

Source Translation: None

Destination Translation:Private ip of the server

Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding,

 

Sec Policy:

Source Zone: untrust

Desintation Zone: trust (or the zone where the server being published sits)

Destination Address: THE PUBLIC IP assigned

Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)

 

View solution in original post

0 Likes
Reply
ammar
L2 Linker
‎09-22-2016 08:07 AM
‎09-22-2016 08:07 AM

Dears,

Thanks all for clarifying a soluton for such NAT scenario.

I think there sholuld be a document for different NAT scenarios to compare between ASA and PAN.

 

Thanks all.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks