Web server publishing error

SPB99RO · ‎04-27-2018

Hi!

Help, please, with an Internal Web server publication.

I have a PaloAltor PA-200, PanOS 7.0.19.

I have ext. Internet on Eth1/1 (L3-Untrust zone) and LAN on Eth1/2 (L3-Trust zone). In my LAN I have a Server with Web publication (WebServer), which should be accessd from outside (Internet).

I`m trying to publish it. But got an error: Mismatch of destination address translation range between original address and translated address

Could someone, please, help with fixing th NAT and policy.

Harshit · ‎04-27-2018

okay, that's good.

make the following changes:

in Webpub:

1) make sure "Internet" is your public ip.

in Webout:

1) in source translate put your public ip and remove destination translation entry

~HTH

View solution in original post

OtakarKlier · ‎04-27-2018

Hello,

The destination zone in your screen shot needs to be the same zone that the web server resides in.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/nat/nat-configuration-exa...

Hope that helps.

SPB99RO · ‎04-27-2018

Thanks for response!

Trying to change zone, but got same error. Maybe you could suggest anything else?

OtakarKlier · ‎04-27-2018

Also the destination address should be the IP of the webserver.

OtakarKlier · ‎04-27-2018

Sorry menat the translated address. However here is one of my nat rules. Its a bi-directional rules, all that means that incoming traffic and outgoing traffic use the same external IP address.

Just as a personal preference I use NAT rules to just translate and use the security policies to dictate which services are allowed.

SPB99RO · ‎04-27-2018

Thanks!

Trying to change main NAT, but unsuccessfully. Any ideas?

OtakarKlier · ‎04-27-2018

What IP does your LAN object translate to? It should just be the webservers address.

SPB99RO · ‎04-27-2018

LAN - 10.154.10.1/16

WebServer - 10.154.10.7

OtakarKlier · ‎04-27-2018

Hello,

Put the Webserver address into your NAT rule.

Then it should work.

SPB99RO · ‎04-27-2018

Hi!

Tried to change it, but lost access from LAN to Internet. Same time couldn`t connect the WebServer from outside.

Maybe there is another way to do it?

Harshit · ‎04-27-2018

if i am assuming correct,

you are using one public ip and you are planing to use port 80 for webserver.

To set this up i would set up two different Nat statements, one for outbound only, that will translate your internal network to public ip, it would look something like this:

for outbound Nat:

security rule :

source ip : your internal ip

destination ip: any

source zone: trust

destination zone :untrust

service : http

Nat policy:

source ip : your lan ip

source zone: internal

detination ip : any

destination zone: untrust

source Nat to untrust interface ip

for inbound web server:

security rule :

source ip : any

destination ip: <your public ip>

source zone: untrust

destination zone :trust

service: http

Nat policy:

source ip : any

source zone: untrust

detination ip : your public ip

destination zone: untrust

destination nat : internal web server ip

~HTH

SPB99RO · ‎04-27-2018

Thanks!

I`m trying to change it, but have a next mistake again. Maybe I mistaked somewhere?

Harshit · ‎04-27-2018

okay, that's good.

make the following changes:

in Webpub:

1) make sure "Internet" is your public ip.

in Webout:

1) in source translate put your public ip and remove destination translation entry

~HTH

SPB99RO · ‎04-27-2018

Thanks a lot to all for help!!!

For me working like this:

Harshit · ‎04-27-2018

Glad i could help,

Please accept post as a solution if it helped.

~Harry

Unlock your full community experience!

Web server publishing error

Web server publishing error

Show your appreciation!