Difference between revisions of "Paloalto NAT examples"
From Notes_Wiki
(Created page with "Home > Enterprise security devices or applications > Paloalto firewall > Paloalto NAT examples =NAT of public IP to private IP on a few ports= To NAT a public IP:port to private IP:port use: # Create WAN to WAN Security rule with destination as NATed public IP with all services and all ports # Create NAT rule from WAN to LAN with source IP as any and destination IP as WAN public IP. After NAT change the destination IP to LAN IP. Here in NAT...") |
m |
||
Line 7: | Line 7: | ||
to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT. | to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT. | ||
=Outgoing SNAT for each ISP= | |||
# For each ISP we need to write a SNAT rule related to that ISP interface to NAT ougoing packets with ISP IP (Interface IP). These can be top rules in the NAT section before other incoming NAT are configured. | |||
# For each ISP we also need to add a static route for 0.0.0.0/0 towards ISP gateway in virtual router. | |||
## For PPPoE we need to select interface with next hop value of 'None'. | |||
## While adding this route we must enable path monitoring and a few IPs such as 8.8.8.8* that can be pinged to check whether ISP is up or not. While monitoring for PPPoE use DHCP client IP address as source IP in monitoring. | |||
## After committing if we click "runtime stats.." against virtual router we can see status of these path monitoring that we have setup. | |||
[[Main_Page|Home]] > [[Enterprise security devices or applications]] > [[Paloalto firewall]] > [[Paloalto NAT examples]] | [[Main_Page|Home]] > [[Enterprise security devices or applications]] > [[Paloalto firewall]] > [[Paloalto NAT examples]] |
Revision as of 05:46, 8 September 2023
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto NAT examples
NAT of public IP to private IP on a few ports
To NAT a public IP:port to private IP:port use:
- Create WAN to WAN Security rule with destination as NATed public IP with all services and all ports
- Create NAT rule from WAN to LAN with source IP as any and destination IP as WAN public IP. After NAT change the destination IP
to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT.
Outgoing SNAT for each ISP
- For each ISP we need to write a SNAT rule related to that ISP interface to NAT ougoing packets with ISP IP (Interface IP). These can be top rules in the NAT section before other incoming NAT are configured.
- For each ISP we also need to add a static route for 0.0.0.0/0 towards ISP gateway in virtual router.
- For PPPoE we need to select interface with next hop value of 'None'.
- While adding this route we must enable path monitoring and a few IPs such as 8.8.8.8* that can be pinged to check whether ISP is up or not. While monitoring for PPPoE use DHCP client IP address as source IP in monitoring.
- After committing if we click "runtime stats.." against virtual router we can see status of these path monitoring that we have setup.
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto NAT examples