U-NAT Double NAT - DNAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

U-NAT Double NAT - DNAT

L4 Transporter

Good morning, first of all thank you very much for your support.

I have the following case scenario:

FQDN: Dyndns ( paloalto01xxxalias.dynalias.net )
Modem/router/ADSL dynamic IP Public
Modem/router/ADSL LAN IP 192.160.1.254
Modem/router/ADSL NAT1-1 to Palo Alto Wan External Interface
Palo Alto Wan Interface 192.168.1.74 Gateway: 192.168.1.254

Palo Alto Dnat 192.168.1.74 port 9000 to LAN ( Palo Alto Lan ) 192.100.11.90 Port 9000.

Palo Alto Dnat 192.168.1.74 port 8000 to LAN ( Palo Alto Lan ) 192.100.11.90 Port 8000.

 

Internet----FQDN-Dyndns-----WAN:dynamic IP Public-Modem/router/ADSL---NAT:1:1----WAN Palo Alto Palo Alto----LAN Palo ALto----- 192.100.11.90 and 192.100.11.80 ( LAN Servers ).

 

DNAT details:
-DNAT External zone ---- 192.168.1.74 ---- LAN zone ---- IP 192.100.11.90.
Services: TCP_9000 ( TCP:9000 )---Operates OK from outside.

-DNAT External zone ---- 192.168.1.74 ---- LAN zone ---- IP 192.100.11.80
Services: TCP_8000 ( TCP:8000 )---Operates OK from outside.

 

When I perform the DNAT, from the outside it operates correctly OK. Since the connections when arriving and entering to the modem, pointing to the FQDN of dyndns, when arriving to the Modem/Router are nated to the Palo Alto to its WAN interface, the high stick then applies the DNAT ( detailed above ) and forwards it to the IP 192.100.11.90:9000 and 192.100.11.80:8000 this OK, correctly.

 

The problem occurs when, from the local network 192.100.11.0/24 and the other two networks 192.100.13.0/24 and 192.100.14.0/24, you try to go to the FQDN paloalto01xxxalias.dynalias.net the DNAT is not applied.

Try to perform a U-NAT as I have applied in other cases, from other firewalls.
In this case I have a DOUBLE NAT, the equipment MODEM/Router ( Nat:1:1 ) and the firewall Palo Alto, therefore if I try to apply the UNAT, in theory it is like that:

Source: LAN Network, LAN2 Network, LAN3 Network
Destination: External WAN: 192.168.1.74 ( IP wan of the Palo Alto )
Service: TCP:8000 port
Then 192.100.11.80 ( LAN IP ) Port 8000. This does not work because I must and need to reach the FQDN paloalto01xxxalias.dynalias.net, not the WAN IP of Palo Alto, and from there the NAT must go down.

 

Try to perform another U-NAT, as follows:

First create an address object as FQDN: paloalto01xxxalias.dynalias.net.

Generate the Dnat rule as follows:

Source: LAN Network, LAN2 Network, LAN3 Network
Destination: External WAN Destination Address FQDN: paloalto01xxxalias.dynalias.net
Service: TCP:8000 port
Destination Translate ( 192.168.1.74) 8000 tcp Port

And this didn't work either.

 

Please your help and support, to see how I can do that from the LAN networks to reach the FQDN paloalto01xxxalias.dynalias.net and that the DNAT is applied correctly.
From external networks and from the outside, if it works correctly.

 

Thank you very much, I remain attentive, best regards.

 

High Sticker
1 REPLY 1

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

You can verify below KB article which gives all the steps to allow such traffic flow.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK 

 

Hope it helps!

Mayur
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!