What is the destination NAT configuration for Ping & trace-rout

Reply
Highlighted
L3 Networker

What is the destination NAT configuration for Ping & trace-rout

Need to allow ping & trace route from Internet(outside) to Trust (Inside).

 

What need to be configured in Destination NAT to allow ping & traceroute ?


Accepted Solutions
Cyber Elite

@Mohammed_Yasin,

Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.

 

Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound. 

 

Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?

View solution in original post


All Replies
Highlighted
L3 Networker

Continue of same...

 

security policy section we allow the ping & trace route application.

 

What is the service should be allowed in  NAT policy for ping & trace-route ?

 

I do not want to configure ‘any any’ service in NAT policy to allow ping & trace-route ?

Tags (1)
Highlighted
L3 Networker

If you are using the app-id/layer 7 in the policy then recommend using "Application default" for the service. You should not have to specify ports unless they are non-standard for the application in question.

Highlighted
L3 Networker

Thanks for the update..

 

Already I am using the application default...

 

But its I can use service in NAT policy instead of ANY and I want to use multiple services in nat policy rule.. it's possible to have in Orignal packet translation section

 

Its recommended ?

Highlighted
L3 Networker

Thanks for the update. Already I am using the application default... But its I can use service in NAT policy instead of ANY and I want to use multiple services in the nat policy rule. it's possible to have in the Orignal packet translation section Its recommended?

Highlighted
Cyber Elite

@Mohammed_Yasin,

I don't believe this is possible without an 'any' service entry. ICMP traffic doesn't function on a L4 basis. The firewall takes the ID and sequence fields from the ICMP header and treats them the same as if they were ports, which is why setting the service to any works fine. PAN doesn't really have true support for making an ICMP NAT entry. 

Highlighted
L3 Networker

Thanks for the update,

 

and for traceRoute in Nat Policy ?

Cyber Elite

@Mohammed_Yasin,

Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.

 

Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound. 

 

Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!