Difference between revisions of "Paloalto NAT examples"
From Notes_Wiki
m |
m |
||
Line 1: | Line 1: | ||
[[Main_Page|Home]] > [[Enterprise security devices or applications]] > [[Paloalto firewall]] > [[Paloalto NAT examples]] | [[Main_Page|Home]] > [[Enterprise security devices or applications]] > [[Paloalto firewall]] > [[Paloalto NAT examples]] | ||
= | =DNAT of public IP to private IP on a few ports= | ||
To NAT a public IP:port to private IP:port use: | To NAT a public IP:port to private IP:port use: | ||
# Create WAN to | # Create WAN to LAN Security rule with destination as NATed public IP with all services and all ports | ||
# Create | # Create DNAT rule from WAN to WAN with source IP as any and destination IP as WAN public IP. After NAT change the destination IP | ||
to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT. | to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT. | ||
Latest revision as of 04:24, 15 October 2023
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto NAT examples
DNAT of public IP to private IP on a few ports
To NAT a public IP:port to private IP:port use:
- Create WAN to LAN Security rule with destination as NATed public IP with all services and all ports
- Create DNAT rule from WAN to WAN with source IP as any and destination IP as WAN public IP. After NAT change the destination IP
to LAN IP. Here in NAT choose only specific services. Note that we can only choose one service-group. Hence we need to group all services (TCP/UDP) in a single service group and then configure it in NAT.
Outgoing SNAT for each ISP
- For each ISP we need to write a SNAT rule related to that ISP interface to NAT ougoing packets with ISP IP (Interface IP). These can be top rules in the NAT section before other incoming NAT are configured.
- For each ISP we also need to add a static route for 0.0.0.0/0 towards ISP gateway in virtual router.
- For PPPoE we need to select interface with next hop value of 'None'.
- While adding this route we must enable path monitoring and a few IPs such as 8.8.8.8* that can be pinged to check whether ISP is up or not. While monitoring for PPPoE use DHCP client IP address as source IP in monitoring.
- After committing if we click "runtime stats.." against virtual router we can see status of these path monitoring that we have setup.
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto NAT examples