Giving permission to external IP address to access our internal server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Giving permission to external IP address to access our internal server

L1 Bithead

Hi beautiful People,

I am trying to give permission to external IP address to access one of my server in the network. How can i give permission from Palo alto firewall. I have PA-3220 model of Palo alto.

Please kindly give me solution to this.

And also how can I disable AGL SIP on that?

 

3 REPLIES 3

L4 Transporter

Hi,

Unsure what version of PanOS you are running, but the KB article below should be enough to guide you to where you can disable SIP ALG.

How to Disable SIP ALG - Knowledge Base - Palo Alto Networks

With regards to allowing an external IP access to one of your internal servers, this will likely involve both a Security policy rule and a NAT policy rule.  It may not be the best solution from a security perspective though.

 

I would ask that you provide a little more information before doing this so that we can understand the context of what you are trying to achieve.  

 

Thanks,

Dave

This is The Job request I got  for Ip addressing part please:-   

a new Ecommerce server is setup and the traffic from the new external server to the trusted internal server is blocked.

Traffic from the new server to the internal server should be allowed, How do you suggest on it?

Hello @lprasad , publishing the server is easy.

 

Now you must create a NAT.

A destination NAT:

Source zone Untrust/WAN, destination Zone WAN/Untrust ( The WAN or Untrust zone you have defined in your AP ).
Destination Address: Here you must point to the public IP that you are going to use to publish your service, for example the IP of your Public Interface or another IP that you define. Then in Translated Packet Destination Translate there you set the Private IP, the internal IP of your server is 192.168.0.20 I understand, according to what you have mentioned in the Post.

Now, after you have the destination NAT policy created, you must apply the security policy.

Source Zone Untrust/WAN, in destination the final destination zone example DMZ or Trust or Internal or LAN, according to how you have it defined in your firewall. Then in address destination, you must put the public IP not the private IP, but the public IP that you are using to publish the server and service. Now in the service section, there, I recommend you only in the security rule/policy, put at Service level only the ports that you are going to publish, example Service-https ( if you are going to publish 443 ) and/or other services example Service-8080 ( You create the service example 8080/TCP ) or Service-8083 ( Same TCP/8083 ). The latter in order to only publish the strictly necessary ports and services. For example you do not want to publish RDP if it is a windows server, or 22 if it is a Linux/Unix server or some administration port that should only be limited internally. Depending on the level of subscriptions that your Firewall has, I recommend you to apply security profiles such as VP, Antivirus, Wildfire.

 

Support links:

https://www.packetswitch.co.uk/palo-alto-nat-example/#:~:text=Source%20NAT%20is%20used%20for,private%20network%20to%20the%20Internet .

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-...
Best regards

High Sticker
  • 5701 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!