This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Static Port Address Translation question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Static Port Address Translation question

Go to solution
JohnSturk
L0 Member

‎09-22-2023 11:41 AM

This configuration issue seems like it should be very easy to figure, but I have not performed this in the past and I cannot seem to figure it out.

We will have multiple devices on the trusted network, and I need to NAT them all to a single Public IP address using a different port number for each private device.  All devices will utilize port 443 internally, but I need to do the port translation on the firewall.  The devices are not capable of changing the service port number for HTTPS or HTTP.  I have tried configuration info I have found in the support documents, but everything I see is just changing the port, from say port 443 to 8080 on the firewall and the end device is configured to utilize port 8080 for HTTPS.  The configuration screenshots below are the current NAT and Security Policy and this works as far as just plain NAT is concerned.  I need to be able to translate a port number such as 8080 coming in on the untrusted side to port 443 on the trusted side.  Any help is appreciated.  Thank you

 

JohnSturk_0-1695407774096.png

 

JohnSturk_1-1695407912202.png

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-22-2023 02:18 PM

Hi @JohnSturk ,

 

You have done all the hard work!  You only need the ports now.  Here is a document that is a good start, but missing a couple of items.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/...

 

  1. The NAT example should have an object tcp-80 (or service-http) for the Original Packet Service.  It is very important when you create service objects for NAT that you specify the destination only, and not the source.  (Unless, of course, you are NATing source ports which is uncommon.)
  2. I would not leave the security policy rule service to any.  I would put it tcp-8080 or service-http in that example.  I believe the service in the security policy rule is pre-NAT like the IP.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-22-2023 02:18 PM

Hi @JohnSturk ,

 

You have done all the hard work!  You only need the ports now.  Here is a document that is a good start, but missing a couple of items.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/...

 

  1. The NAT example should have an object tcp-80 (or service-http) for the Original Packet Service.  It is very important when you create service objects for NAT that you specify the destination only, and not the source.  (Unless, of course, you are NATing source ports which is uncommon.)
  2. I would not leave the security policy rule service to any.  I would put it tcp-8080 or service-http in that example.  I believe the service in the security policy rule is pre-NAT like the IP.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
JohnSturk
L0 Member
In response to TomYoung

‎09-26-2023 08:09 AM

Hi Tom,

Thank you so much for your help.  I have the NAT/Port solution functioning properly now.  I overlooked your advice on setting the Destination Port only in the service object.  This was my issue as I had a dumb moment when I set it up.  I fixated on the NAT rule being incorrect that I did not look at the Service Object after I created it.  I have the proper port numbers in the NAT rule, along with the allowed service in the security rule as well as the source IP address of the vendor that will need to access the devices.  Thank you again for your input.

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-26-2023 10:00 AM

You're welcome!

 

I have seen that many times with customers.

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1 accepted solution
  • 748 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks