Destination NAT on the Palo Alto Firewall | Part 11
HTML-код
- Опубликовано: 13 сен 2024
- Full Palo Alto 0-60 Playlist:
👉🏻 • 🔥 Firewall Frenzy: Unl...
Watch the previous video in the playlist: • How To Use A Trusted C...
Watch the next video in the playlist:
I'm Keith Barker, a 2x CCIE (Cisco Certified Internetwork Expert).
I'm am your guy if you are:
👉 New to IT and don't know where to start
👉Currently in IT, and want to learn more advanced ideas
👉 Anyone who wants to learn about the basics of technology in general
I believe that anyone can improve their situation by gaining new skills, especially in information technology.
New videos weekly!
🆓 Free Packet Tracer Labs download: thekeithbarker...
Enjoy, Like, and Subscribe. 😃
Free RUclips Playlists from Keith:
▶ Cisco CCNA 200-301 ogit.online/sloth
🔐 Cisco CCNA 200-301 Security ogit.online/20...
💻 Cisco CCNA 200-301 IPv4 Subnetting ogit.online/su...
💬 Join our Discord server (free) ogit.online/Jo...
🏪 Keith Barker Amazon Affiliate Store www.amazon.com...
🏫 Keith’s Content at CBT Nuggets ogit.online/Ke...
First things first, This video is AWESOME! Thank you for taking the time to make it. I did however struggle using 1 IP to multiple inside addresses and ports so I figured I would post a little more info below.
I would like to add the following information for Destination nat rules from one public IP to multiple dmz ip addresses/ports. In order for that to work right, you must specify the original packet destination service for each NAT. for example, if you are running a web service on one server, you would specify 443, then translate to your web server inside. If you had an email server you would specify 25, then translate that to a different server on the inside.
If you are doing a different outside port you can specify that on the Original packet tab, then on the translated packet specify the correct inside port. For example you can run a web server on 18443, but have it translate to 443 on the inside.
Thank you again for posting this video.
Thank you @jasontemple4407!
That portion with the destination zone for NAT would have got me. I had to watch the video a few times to understand what you were saying.
Thank you Troy Sipple!
Here we go with one of my top IT leaders of all the times 🙋♂. Subscribing will all glad. And thanks for the dest nat video tutorial 💯
We have an IPSec Tunnel to the client. They want to access our internal server. We provided them the Public IP address. We allowed the security polices (from ZONe VPN to our DMZ on ports xxx allow). We also added the proxies in the IPSec Tunnel and also added the route to their network.
Now I am confused that we didnt configured any type of NAT in this case. Could you please explain why is it so?
Thanks in advance.
Thank you very much it works for me
Glad to hear that
what happened to this series? its been 4months ? appreciate it keith please continue with this series
Thank you for the question @joejoe2452. I completed the series for Palo Alto that I intended to create here on RUclips.
Awesome video Keith! Do you outline your videos before you film them or do you perform them off the cuff?
The way I understand it: The Destination Zone is where the host lives, the Destination Address is the virtual IP.
Destination IP is the virtual IP rather than the host's IP.
Thank you @jonathanc8879!
For the destination NAT and Security policy rules using the following:
real server:
Zone: DMZ
IP: 10.30.0.100
DNAT RULE:
DNAT for benefit of users coming in from:
Zone: Outside
to DNAT IP of 23.1.2.100
For the NAT policy rule:
Original Packet
Source Zone: Outside
Dest Zone: Outside
IP: 23.1.2.100
Translated Packet for DNAT
10.30.0.100
Security Rule allowing incoming traffic:
Source Zone: Outside (Where clients are connecting from)
Destination Zone: DMZ (Zone where server really is)
Destination IP: 23.1.2.100 (Pre DNAT IP)
Hi Keith. Thanks very much for the helpful video. Can you help me understand if the security policy relies on a Pre-NAT IP and a Post-NAT Zone because of the way that packets flow through a Palo Alto firewall? If so, is this common of other modern NGFW devices? Cheers!
Thank you for the question @TheDrshoe28.
This is a bit unique, configuration wise on the PA NGFW.
Here is a copy/paste of a response I made earlier today, regarding DNAT and NAT + Security policy rules:
For the destination NAT and Security policy rules using the following:
real server:
Zone: DMZ
IP: 10.30.0.100
DNAT RULE:
DNAT for benefit of users coming in from:
Zone: Outside
to DNAT IP of 23.1.2.100
For the NAT policy rule:
Original Packet
Source Zone: Outside
Dest Zone: Outside
IP: 23.1.2.100
Translated Packet for DNAT
10.30.0.100
Security Rule allowing incoming traffic:
Source Zone: Outside (Where clients are connecting from)
Destination Zone: DMZ (Zone where server really is)
Destination IP: 23.1.2.100 (Pre DNAT IP)
Hope that is useful.
Thanks for the videos Keith. It is really helping me as a noob with no training on my new pair of 440s. I have to setup some NATS on an IPsec tunnel and am confused on how to implement source or destination NATs. Is the only difference the zones? On my tunnels, I am using a l2vpn zone as opposed to outside. Are the zones the only thing that would differ when doing NAT with an IPSec tunnel?
Sir please make one video for u-trun nat.
Please upload the Part-12 of the Palo Alto Networks Firewall: 0-60 series
Thank you Mehul! I don't have a part 12 yet.
Do you have a recommendation of what other content you would want for a part 12, part 13, etc???
Great video. What about to config reverse proxy in PA?
Good video ! quick qeustion : what writing digital notepad do you use for all the annotations ?
Thank you for the question abman yasar. I use Epic Pen.
Nice and helpful 👍🏻
#AaruneticTales
Hi Keith,
I have already my PCNSA and I am currently learning for my PCNSE. It's hard for me to find good courses. Are you going to do a new PCNSE course?
Thank you for the question TeKx.
There is a new PCNSE course on CBTNuggets site right now. I just finished creating it a few months ago. There is also a new Palo Alto playlist here on RUclips:
ruclips.net/p/PLQQoSBmrXmrw6njwWXSIOiWZE7La8PA5P
Are you at Cisco Live! this year Keith?
Yes! Will be at town hall square #2 at 1pm on Tuesday. :)
Would love to say hello if you are available.
I missed you today. Around tomorrow?
@@nub407 I will be at the Cisco Event at the Allegiant stadium (Wed) for the first hour (till around 8:30). You can DM me through the Cisco App if you are there around that time, and I would love to say hello.
Whenever you come to Mumbai in india would love to host you.
Thank you Altaf Khan!
WTH did you just say? WHAT??