Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-06-2024 12:33 PM
I'm not sure where to turn from here but my organization is trying to do a configuration we haven't set up before related to our student self-service system.
To try and summarize the issue, we have a guest-wireless zone that we need to allow anybody access to another server that is internal on our production network. Our system architect registered a public IP address to our ISP with a URL so what we're trying to do is allow guest-wifi to this public URL and then let it hit the internal server.
This is working externally from the organization. There is a NAT setup to allow external traffic to reach the service via the public IP/URL, but trying to go from the Guest Zone to the server is giving problem. I have had Palo support troubleshooting with me and they were not able to come up with a solution during our call, so I'm turning here.
What some other Palo documentation and videos had us do was the following NAT and Security Policy:
NAT
Source Zone: inside
Dest. Zone: Outside
Source Addr: Server Private IP
Src. Translation: Server Public IP
This worked for anything external but trying to recreate one for Guest doesn't seem to do anything
Security Policy
Source Zone: Guest
Source Addr: Any
Dest. Zone: inside
Dest. Addr: server Public IP
Ports: 80/443
Traffic Monitor for the above security policy shows allowed traffic with a result of Application: Incomplete.
I am completely stumped and feel like we're making it a lot harder than it really is, so any guidance would be immensely helpful.
02-06-2024 01:45 PM
Hello,
Sounds like you need a U-Turn NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC
Also make sure you have security policies allowing the traffic.
Regards,
02-06-2024 01:01 PM
Is the guest zone hitting the public IP? Presumably your NAT rule is bi-directional then? Or do you have a separate NAT policy for inbound connections?
If you look in the details of the session you see allowed, in both the source and destination boxs does the "NAT IP" part appear correct?
02-06-2024 01:45 PM
Hello,
Sounds like you need a U-Turn NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC
Also make sure you have security policies allowing the traffic.
Regards,
02-07-2024 06:04 AM
There is a separate destination NAT for external users. My source IP is from our 10.193.0.0 subnet (Guest) and guest interface ethernet 1/5.93. The destination is listed as the public IP with a NAT IP displayed as the server's private IP. So to me, it does appear correct. We have other configurations for the Guest wifi to reach internal services, but those are handled by the load balancer in the DMZ, so we're not sure where the disconnect is occurring.
02-07-2024 06:06 AM
I did come across something regarding U-Turn NAT and I did try and use the above link for reference, as well as another online video of someone explaining it and it makes sense to me, but when trying to implement I'm still not able to reach that service. ☹️
02-07-2024 06:28 AM
After a little more looking into the NAT policy, I recognized the error I had. U-Turn was the correct solution but it was the particular interface I was using on the source translation. Correcting that on my end immediately got the service working. Much thanks to all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
