We need a static Nat from one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

cancel
Showing results for 
Search instead for 
Did you mean: 

We need a static Nat from one source to a single outside IP using multiple Ports to translate to multiple inside private IPS with same source

L1 Bithead

We need to create a Policy  to allow traffic in from a partner that needs to monitor Our Servers.

Outside IP will be one  say xx.xx.xx.5 they need to hit  10 diffrent servers on the inside of our network  192.168.1.101-110 

THey want to send traffic to 21001 - 21002 and have it changed to 5666 on the inside. i have tried about everythign I can think of.

 

so outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21001 We translate that to 192.168.1.101 port 5666

     outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21002 We translate that to 192.168.1.102 port 5666

     outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21003 We translate that to 192.168.1.103 port 5666

     outside ip xx.xx.xx.xx.5 SEND TRAFFIC to our outside ip xx.xx.xx.88.on port 21004 We translate that to 192.168.1.104 port 5666

 

Can someone point me in the right direction. 

6 REPLIES 6

L4 Transporter

I haven't done exactly this, but I would suspect it would be something like:

 

Create custom destination service port objects for non-standard ports:

Objects -> Services -> Add

  Monitor_TCP5666 - protocol=TCP, dst_port=5666

  Monitor_TCP21001 - protocol=TCP, dst_port=21001

  Monitor_TCP21002 - protocol=TCP, dst_port=21002

  ...

 

Create your NAT rules:

Policies -> NAT -> Add

  Vendor_Monitor_1 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21001,

                                   src_addr=192.0.2.5, dst_addr=198.51.100.88,

                                   dst_tranlation=staticIP, translated_addr=192.168.1.101 translated_port=5666

  Vendor_Monitor_2 - src_zone=Untrust, dst_zone=Untrust, service=Monitor_TCP21002,

                                   src_addr=192.0.2.5, dst_addr=198.51.100.88,

                                   dst_tranlation=staticIP, translated_addr=192.168.1.102 translated_port=5666

  ...

 

Create your Security rules:

Policies -> Security -> Add

  Remote_Vendor_Monitoring - src_zone=Untrust, src_addr=192.0.2.5,

                                                  dst_zone=DMZ, dst_addr=192.168.1.101,192.168.1.102,...,

                                                  service=Monitor_TCP5666, action=allow

 

L1 Bithead

Thanks so much for the Reply.

This is almost exactly what I have and it does not wqork at all.

The only diffrence is the DST ZONE is Inside not DMZ

I dont even see any traffic hit the Nat policy. 

Cyber Elite
Cyber Elite

Hello,

The vendor will need to use different ports for the different internal servers, otherwise the PAN doesnt know where to send the traffic to. Try the following:

Uni-directional policy https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

Regards,

L4 Transporter

If you run a Test Policy Match from the NAT Policy page, does it show that it matches the NAT rule? The NAT policy rule should be src and dst zone for the public interface. Security policy rule should shoud src zone for the public, dst zone for your internal.

L1 Bithead

I finally got it to work. The Nat rule was correct, but on the Security  policy I was allowing the Destinaltion IP to go to the externall IP.

I changed it to the inside IP and it worked. that does not match other Nat policies I have working..

 

 

L5 Sessionator

Hi @Adrian_Jensen ,

 

The PANW NGFW can easily do that.  Here is an excellent video -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW.  It also has a bonus video on the relationship between the NAT and security policies.  For the security policy, "pre-NAT IP address and post-NAT everything else."  The reason for that rule is that the security policy is checked before NAT is implemented, but after the NAT lookup of the destination zone is done.  (NAT is performed on egress.)

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!