Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-22-2024 05:34 AM
Hello,
I have a web server in DMZ with private ip address 192.168.10.100/24 and I would like all the traffic from outside should come to this server. My public ip is 1.1.1.2/255.255.255.248 which will bind to 192.168.10.100
To perfom this I can create a destination rule
FROM TO Source Destination Destination Translation Address (Static)
Untrust--> Untrust--> Any--> 1.1.1.2 192.168.10.100
The above rule will work correctly. My question is if i create Rules below what will happen
FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2
BI DIRECTIONAL checked
FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2
BI DIRECTIONAL checked
Will the above rule work and if it works is it a correct way to do this ?
10-25-2024 12:33 AM
If you remove Bi-Directional check from Source NAT policy, then that policy will do specified Source NAT policy only.
10-23-2024 07:40 AM
Hi @calabilla
Bi-Directional static NAT option can be used when creating the Source NAT policy only. With bi-directional static NAT option checked, firewall will perform both Source NAT as well as Destination NAT translations.
With this option. when traffic is coming from your inside/DMZ server going towards internet, source IP will get NAT with given public IP. At the same time, if traffic is hitting public IP from internet ( from untrust zone ), then destination IP will be NAT with the given inside/DMZ IP.
In your examples, below example looks appropriate configuration of Source NAT with bi-directional checked.
FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2
BI DIRECTIONAL checked
In below case, you have marked private IP as a part of Untrust zone. Ideally, untrust zone should be the public IP from where internet traffic will come.
FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2
BI DIRECTIONAL checked
Bi-directional NAT configuration has very specific use cases where it is must to enable it. I have seen most of it's use cases in Audio/Video traffic flows.
Palo Alto KB article on Bi-Directional Static NAT
Hope it helps!
If you still have any queries, feel free to ask.
10-23-2024 10:03 AM - edited 10-24-2024 04:55 AM
The rule is this way
CHECK THE BELOW AND LET ME KNOW WILL IT WORK
SourceZone Destination Zone Source Destination Translation Address (Static)
Untrust DMZ Any 192.168.10.100 1.1.1.2
BI DIRECTIONAL checked
10-24-2024 04:55 AM
Hi @calabilla
As I mentioned earlier, Bi-Directional static NAT applies to only Source NAT translations. Here in your examples, you are doing destination NAT.
Ideally your Bi-Directional Static NAT should look like this.
Here, consider WAN zone as Untrust.
10-24-2024 09:16 AM
I never knew that Bidirectional NATworks with only Source NAT.
what will happen if i remove bidirectional check mark ? how would the NAT WORK in this scenario.
10-25-2024 12:33 AM
If you remove Bi-Directional check from Source NAT policy, then that policy will do specified Source NAT policy only.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
