06-25-2020 04:19 AM
Need to allow ping & trace route from Internet(outside) to Trust (Inside).
What need to be configured in Destination NAT to allow ping & traceroute ?
06-28-2020 09:37 AM
Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.
Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound.
Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?
06-25-2020 07:25 AM
Continue of same...
security policy section we allow the ping & trace route application.
What is the service should be allowed in NAT policy for ping & trace-route ?
I do not want to configure ‘any any’ service in NAT policy to allow ping & trace-route ?
06-25-2020 11:23 AM
If you are using the app-id/layer 7 in the policy then recommend using "Application default" for the service. You should not have to specify ports unless they are non-standard for the application in question.
06-25-2020 01:35 PM
Thanks for the update..
Already I am using the application default...
But its I can use service in NAT policy instead of ANY and I want to use multiple services in nat policy rule.. it's possible to have in Orignal packet translation section
Its recommended ?
06-25-2020 01:36 PM
Thanks for the update. Already I am using the application default... But its I can use service in NAT policy instead of ANY and I want to use multiple services in the nat policy rule. it's possible to have in the Orignal packet translation section Its recommended?
06-25-2020 02:32 PM
I don't believe this is possible without an 'any' service entry. ICMP traffic doesn't function on a L4 basis. The firewall takes the ID and sequence fields from the ICMP header and treats them the same as if they were ports, which is why setting the service to any works fine. PAN doesn't really have true support for making an ICMP NAT entry.
06-27-2020 11:10 PM
Thanks for the update,
and for traceRoute in Nat Policy ?
06-28-2020 09:37 AM
Depends on the system, as it's implemented differently between operating systems. Windows exclusively utilizes ICMP, so you would fall into the same scenario. Unix systems will actually utilize 33434-33534/UDP by default, but have options for using ICMP or even TCP depending on how the command is run.
Generally speaking traceroute will follow the same as ICMP; it won't work reliably unless you open all available ports via your NAT rulebase, and that's really very ill-advised when you're talking about allowing traffic inbound.
Should have probably started with this, but what are you actually trying to achieve with this setup? So take away ICMP or traceroute, because at the moment we don't care about them. What were you trying to do with this setup? Some sort of status check on internal clients from an external resource?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
