05-24-2022 09:20 AM - edited 05-24-2022 02:00 PM
We need to create a Policy to allow traffic in from a partner that needs to monitor Our Servers.
Outside IP will be one say xx.xx.xx.5 they need to hit 10 diffrent servers on the inside of our network 192.168.1.101-110
THey want to send traffic to 21001 - 21002 and have it changed to 5666 on the inside. i have tried about everythign I can think of.
so outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21001 We translate that to 192.168.1.101 port 5666
outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21002 We translate that to 192.168.1.102 port 5666
outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21003 We translate that to 192.168.1.103 port 5666
outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21004 We translate that to 192.168.1.104 port 5666
Can someone point me in the right direction.
05-24-2022 11:10 AM
I haven't done exactly this, but I would suspect it would be something like:
Create custom destination service port objects for non-standard ports:
Objects -> Services -> Add
Monitor_TCP5666 - protocol=TCP, dst_port=5666
Monitor_TCP21001 - protocol=TCP, dst_port=21001
Monitor_TCP21002 - protocol=TCP, dst_port=21002
...
Create your NAT rules:
Policies -> NAT -> Add
Vendor_Monitor_1 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21001,
src_addr=192.0.2.5, dst_addr=198.51.100.88,
dst_tranlation=staticIP, translated_addr=192.168.1.101 translated_port=5666
Vendor_Monitor_2 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21002,
src_addr=192.0.2.5, dst_addr=198.51.100.88,
dst_tranlation=staticIP, translated_addr=192.168.1.102 translated_port=5666
...
Create your Security rules:
Policies -> Security -> Add
Remote_Vendor_Monitoring - src_zone=Untrust, src_addr=192.0.2.5,
dst_zone=DMZ, dst_addr=192.168.1.101,192.168.1.102,...,
service=Monitor_TCP5666, action=allow
05-24-2022 11:47 AM
Thanks so much for the Reply.
This is almost exactly what I have and it does not wqork at all.
The only diffrence is the DST ZONE is Inside not DMZ
I dont even see any traffic hit the Nat policy.
05-24-2022 12:30 PM
Hello,
The vendor will need to use different ports for the different internal servers, otherwise the PAN doesnt know where to send the traffic to. Try the following:
Regards,
05-24-2022 01:12 PM
If you run a Test Policy Match from the NAT Policy page, does it show that it matches the NAT rule? The NAT policy rule should be src and dst zone for the public interface. Security policy rule should shoud src zone for the public, dst zone for your internal.
05-24-2022 01:56 PM - edited 05-24-2022 02:01 PM
I finally got it to work. The Nat rule was correct, but on the Security policy I was allowing the Destinaltion IP to go to the externall IP.
I changed it to the inside IP and it worked. that does not match other Nat policies I have working..
05-24-2022 02:01 PM
Hi @Adrian_Jensen ,
The PANW NGFW can easily do that. Here is an excellent video -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW. It also has a bonus video on the relationship between the NAT and security policies. For the security policy, "pre-NAT IP address and post-NAT everything else." The reason for that rule is that the security policy is checked before NAT is implemented, but after the NAT lookup of the destination zone is done. (NAT is performed on egress.)
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
