This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VIP(NAT) configuration problem?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VIP(NAT) configuration problem?

Go to solution
inforte
Not applicable

‎12-20-2010 11:11 PM

Hi, I have a little problem Smiley Wink

Consider that we have a server A with the ip address 10.

And server B with the IP adress 20.

And a real IP address of 100.

İ want to set up a NAT, that if a web service comes to ip 100, it would forward this to 10

And if a mail service comes to ip 100 it would forward it to 20.

And would like to both servers to go out with the ip address of 100.

How can i make this?

İ made rule of

dest 100 with service 80 destination nat static to 10

dest 100 with service 25 destination nat static to 20

source 10 any any sourcenat to static 100

source 20 any any sourcenat to static 100

what am i missing here?

after reading couple of documents i have changed the configuration like,

from zone internet to zone internet dest 100 with service 80 destination nat to 10

from zone internet to zone internet dest 100 with service 25 destination nat to 20

and removed the other two rules but nothing changed.

thanks in advance,

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to kbrazil

‎12-23-2010 01:10 AM

this isue was actually related to mac address table on the routing device in front of the firewall

important thing to remember: reset mac table on devices that store mac addresses (router, switch,...) if you replace a firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
reaper
Cyber Elite
Cyber Elite

‎12-21-2010 02:03 AM

have you also set the security policy as

internet - internal - any - 10 - port 80 (or application web-browsing)

internet - internal - any - 20 - port 25 (or application smtp)

(security rules are post-NAT, so the internal ip's are used)

rgds

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
inforte
Not applicable
In response to reaper

‎12-21-2010 03:48 AM

nope i have set the rules like

from internet to internal destination external IP for service(web/smtp) allow.

you mean i should do it like

from internet to internal destination "internal IP" for service (web/smtp) allow.

right?

i will try and let you know.

thanks..

0 Likes Likes

Go to solution
skrall
L4 Transporter
In response to inforte

‎12-21-2010 08:16 AM

Change the source zone and the destination zone to be "Internet".

You can verify the traffic using :

show session all filter source 1.1.1.1

This will provide a list of session IDs associated with the 1.1.1.1 address and tell you the application.

View the individual session using:

show session id ###

This will show you the details, ingress and egress interfaces, NAT and Security rules processing the packet.

Make sure you have a secusity rule that allows from the outside or internet to the inside of your network for the ports or IP addresses mentioned in your NAT rules.

Steve Krall

0 Likes Likes

Go to solution
kbrazil
L4 Transporter
In response to inforte

‎12-21-2010 08:16 AM

Security rules are post-nat, but NAT is not actually implemented until packet egress.  This means that for the inbound, destination-nat packets the external IP's should be used in the policy.  For the outbound initiated traffic the internal IP's should be used in the security policy.

The NAT rules are only for the direction the traffic is initiated.  Traffic initiated from the Internet will be destination-natted and the return traffic in the same session will correctly use the same natted IP as the source IP.   Traffic initiated from the internal network will not hit the first two VNAT rules so you will need an outbound NAT rule.  You can have a single source-nat rule that encompasses both internal IP's for your purposes.

How exactly is it not working?  Are packets not hitting the Security Policy?  Do you see them in the logs but with the incorrect NAT IP's in the details?

Cheers,

Kelly

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to kbrazil

‎12-23-2010 01:10 AM

this isue was actually related to mac address table on the routing device in front of the firewall

important thing to remember: reset mac table on devices that store mac addresses (router, switch,...) if you replace a firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
inforte
Not applicable
In response to reaper

‎12-23-2010 01:16 AM

thanks for your help guys.

0 Likes Likes
  • 1 accepted solution
  • 5702 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks