What is the destination NAT configuration for Ping & trace-rout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What is the destination NAT configuration for Ping & trace-rout

L4 Transporter

Need to allow ping & trace route from Internet(outside) to Trust (Inside).

 

What need to be configured in Destination NAT to allow ping & traceroute ?

1 accepted solution

Accepted Solutions

@Mohammed_Yasin,

Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.

 

Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound. 

 

Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?

View solution in original post

7 REPLIES 7

L4 Transporter

Continue of same...

 

security policy section we allow the ping & trace route application.

 

What is the service should be allowed in  NAT policy for ping & trace-route ?

 

I do not want to configure ‘any any’ service in NAT policy to allow ping & trace-route ?

If you are using the app-id/layer 7 in the policy then recommend using "Application default" for the service. You should not have to specify ports unless they are non-standard for the application in question.

Thanks for the update..

 

Already I am using the application default...

 

But its I can use service in NAT policy instead of ANY and I want to use multiple services in nat policy rule.. it's possible to have in Orignal packet translation section

 

Its recommended ?

Thanks for the update. Already I am using the application default... But its I can use service in NAT policy instead of ANY and I want to use multiple services in the nat policy rule. it's possible to have in the Orignal packet translation section Its recommended?

@Mohammed_Yasin,

I don't believe this is possible without an 'any' service entry. ICMP traffic doesn't function on a L4 basis. The firewall takes the ID and sequence fields from the ICMP header and treats them the same as if they were ports, which is why setting the service to any works fine. PAN doesn't really have true support for making an ICMP NAT entry. 

Thanks for the update,

 

and for traceRoute in Nat Policy ?

@Mohammed_Yasin,

Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.

 

Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound. 

 

Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?

  • 1 accepted solution
  • 7676 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!