04-07-2012 01:06 AM
wolfgang.paul already did that in the first post.
This is how I interpret what Wolfgang wants to do:
Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).
This is what you need to do to accomplish the above:
1) Setup a DNAT rule in Policies -> NAT:
Original packet:
srczone: Internet
dstzone: Internet
dstinterface: int1 (or wherever you have Internet connected)
srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)
dstadr: <internetip>
service: TCP52516
Translated packet:
srctrans: none
dsttrans: <dmzip>:52516
2) Setup a security rule that will allow the translated traffic:
If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):
srczone: Internet
dstzone: DMZ
srcadr: 0.0.0.0/0
dstadr: <dmzip>
appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)
service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").
action: allow (and log on session start as debug which later can be changed to just on session end)
