cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this solution

wolfgang.paul already did that in the first post.

This is how I interpret what Wolfgang wants to do:

Setup a DNAT (destination nat) for incoming traffic on a particular port (on untrust interface) to be forwarded to a particular host (on trusted interface).

This is what you need to do to accomplish the above:

1) Setup a DNAT rule in Policies -> NAT:

Original packet:

srczone: Internet

dstzone: Internet

dstinterface: int1 (or wherever you have Internet connected)

srcadr: 0.0.0.0/0 (assuming you want anyone from Internet to use this DNAT rule)

dstadr: <internetip>

service: TCP52516

Translated packet:

srctrans: none

dsttrans: <dmzip>:52516

2) Setup a security rule that will allow the translated traffic:

If im not mistaken the security rule acts after the NAT engine have done its work (DNAT will be processed twice but this doesnt matter for the security rule):

srczone: Internet

dstzone: DMZ

srcadr: 0.0.0.0/0

dstadr: <dmzip>

appid: web-browsing (or use "any" to identify which app PA will match for the flow and use that appid)

service: TCP52516 (I prefer to limit which ports each app are allowed to use, if not possible then at least use "default-application" instead of "any").

action: allow (and log on session start as debug which later can be changed to just on session end)

View solution in original post

Who Me Too'd this solution