First things first, This video is AWESOME! Thank you for taking the time to make it. I did however struggle using 1 IP to multiple inside addresses and ports so I figured I would post a little more info below. I would like to add the following information for Destination nat rules from one public IP to multiple dmz ip addresses/ports. In order for that to work right, you must specify the original packet destination service for each NAT. for example, if you are running a web service on one server, you would specify 443, then translate to your web server inside. If you had an email server you would specify 25, then translate that to a different server on the inside. If you are doing a different outside port you can specify that on the Original packet tab, then on the translated packet specify the correct inside port. For example you can run a web server on 18443, but have it translate to 443 on the inside. Thank you again for posting this video.
We have an IPSec Tunnel to the client. They want to access our internal server. We provided them the Public IP address. We allowed the security polices (from ZONe VPN to our DMZ on ports xxx allow). We also added the proxies in the IPSec Tunnel and also added the route to their network. Now I am confused that we didnt configured any type of NAT in this case. Could you please explain why is it so? Thanks in advance.
Thanks for the videos Keith. It is really helping me as a noob with no training on my new pair of 440s. I have to setup some NATS on an IPsec tunnel and am confused on how to implement source or destination NATs. Is the only difference the zones? On my tunnels, I am using a l2vpn zone as opposed to outside. Are the zones the only thing that would differ when doing NAT with an IPSec tunnel?
Hi Keith. Thanks very much for the helpful video. Can you help me understand if the security policy relies on a Pre-NAT IP and a Post-NAT Zone because of the way that packets flow through a Palo Alto firewall? If so, is this common of other modern NGFW devices? Cheers!
Thank you for the question @TheDrshoe28. This is a bit unique, configuration wise on the PA NGFW. Here is a copy/paste of a response I made earlier today, regarding DNAT and NAT + Security policy rules: For the destination NAT and Security policy rules using the following: real server: Zone: DMZ IP: 10.30.0.100 DNAT RULE: DNAT for benefit of users coming in from: Zone: Outside to DNAT IP of 23.1.2.100 For the NAT policy rule: Original Packet Source Zone: Outside Dest Zone: Outside IP: 23.1.2.100 Translated Packet for DNAT 10.30.0.100 Security Rule allowing incoming traffic: Source Zone: Outside (Where clients are connecting from) Destination Zone: DMZ (Zone where server really is) Destination IP: 23.1.2.100 (Pre DNAT IP) Hope that is useful.
@@nub407 I will be at the Cisco Event at the Allegiant stadium (Wed) for the first hour (till around 8:30). You can DM me through the Cisco App if you are there around that time, and I would love to say hello.
Hi Keith, I have already my PCNSA and I am currently learning for my PCNSE. It's hard for me to find good courses. Are you going to do a new PCNSE course?
Thank you for the question TeKx. There is a new PCNSE course on CBTNuggets site right now. I just finished creating it a few months ago. There is also a new Palo Alto playlist here on RUclips: ruclips.net/p/PLQQoSBmrXmrw6njwWXSIOiWZE7La8PA5P
Thank you @jonathanc8879! For the destination NAT and Security policy rules using the following: real server: Zone: DMZ IP: 10.30.0.100 DNAT RULE: DNAT for benefit of users coming in from: Zone: Outside to DNAT IP of 23.1.2.100 For the NAT policy rule: Original Packet Source Zone: Outside Dest Zone: Outside IP: 23.1.2.100 Translated Packet for DNAT 10.30.0.100 Security Rule allowing incoming traffic: Source Zone: Outside (Where clients are connecting from) Destination Zone: DMZ (Zone where server really is) Destination IP: 23.1.2.100 (Pre DNAT IP)
First things first, This video is AWESOME! Thank you for taking the time to make it. I did however struggle using 1 IP to multiple inside addresses and ports so I figured I would post a little more info below.
I would like to add the following information for Destination nat rules from one public IP to multiple dmz ip addresses/ports. In order for that to work right, you must specify the original packet destination service for each NAT. for example, if you are running a web service on one server, you would specify 443, then translate to your web server inside. If you had an email server you would specify 25, then translate that to a different server on the inside.
If you are doing a different outside port you can specify that on the Original packet tab, then on the translated packet specify the correct inside port. For example you can run a web server on 18443, but have it translate to 443 on the inside.
Thank you again for posting this video.
Thank you @jasontemple4407!
Here we go with one of my top IT leaders of all the times 🙋♂. Subscribing will all glad. And thanks for the dest nat video tutorial 💯
I just came across this video. Great job!
Thank you @tariqmalik4859!
Nice one Keith. Cheers.
Thank you @rockinron5113!
We have an IPSec Tunnel to the client. They want to access our internal server. We provided them the Public IP address. We allowed the security polices (from ZONe VPN to our DMZ on ports xxx allow). We also added the proxies in the IPSec Tunnel and also added the route to their network.
Now I am confused that we didnt configured any type of NAT in this case. Could you please explain why is it so?
Thanks in advance.
That portion with the destination zone for NAT would have got me. I had to watch the video a few times to understand what you were saying.
Thank you Troy Sipple!
Thank you very much it works for me
Glad to hear that
Sir please make one video for u-trun nat.
what happened to this series? its been 4months ? appreciate it keith please continue with this series
Thank you for the question @joejoe2452. I completed the series for Palo Alto that I intended to create here on RUclips.
Great video. What about to config reverse proxy in PA?
Please upload the Part-12 of the Palo Alto Networks Firewall: 0-60 series
Thank you Mehul! I don't have a part 12 yet.
Do you have a recommendation of what other content you would want for a part 12, part 13, etc???
Thanks for the videos Keith. It is really helping me as a noob with no training on my new pair of 440s. I have to setup some NATS on an IPsec tunnel and am confused on how to implement source or destination NATs. Is the only difference the zones? On my tunnels, I am using a l2vpn zone as opposed to outside. Are the zones the only thing that would differ when doing NAT with an IPSec tunnel?
Awesome video Keith! Do you outline your videos before you film them or do you perform them off the cuff?
Hi Keith. Thanks very much for the helpful video. Can you help me understand if the security policy relies on a Pre-NAT IP and a Post-NAT Zone because of the way that packets flow through a Palo Alto firewall? If so, is this common of other modern NGFW devices? Cheers!
Thank you for the question @TheDrshoe28.
This is a bit unique, configuration wise on the PA NGFW.
Here is a copy/paste of a response I made earlier today, regarding DNAT and NAT + Security policy rules:
For the destination NAT and Security policy rules using the following:
real server:
Zone: DMZ
IP: 10.30.0.100
DNAT RULE:
DNAT for benefit of users coming in from:
Zone: Outside
to DNAT IP of 23.1.2.100
For the NAT policy rule:
Original Packet
Source Zone: Outside
Dest Zone: Outside
IP: 23.1.2.100
Translated Packet for DNAT
10.30.0.100
Security Rule allowing incoming traffic:
Source Zone: Outside (Where clients are connecting from)
Destination Zone: DMZ (Zone where server really is)
Destination IP: 23.1.2.100 (Pre DNAT IP)
Hope that is useful.
Good video ! quick qeustion : what writing digital notepad do you use for all the annotations ?
Thank you for the question abman yasar. I use Epic Pen.
Are you at Cisco Live! this year Keith?
Yes! Will be at town hall square #2 at 1pm on Tuesday. :)
Would love to say hello if you are available.
I missed you today. Around tomorrow?
@@nub407 I will be at the Cisco Event at the Allegiant stadium (Wed) for the first hour (till around 8:30). You can DM me through the Cisco App if you are there around that time, and I would love to say hello.
Ah! Static NAT!
Hi Keith,
I have already my PCNSA and I am currently learning for my PCNSE. It's hard for me to find good courses. Are you going to do a new PCNSE course?
Thank you for the question TeKx.
There is a new PCNSE course on CBTNuggets site right now. I just finished creating it a few months ago. There is also a new Palo Alto playlist here on RUclips:
ruclips.net/p/PLQQoSBmrXmrw6njwWXSIOiWZE7La8PA5P
Nice and helpful 👍🏻
#AaruneticTales
The way I understand it: The Destination Zone is where the host lives, the Destination Address is the virtual IP.
Destination IP is the virtual IP rather than the host's IP.
Thank you @jonathanc8879!
For the destination NAT and Security policy rules using the following:
real server:
Zone: DMZ
IP: 10.30.0.100
DNAT RULE:
DNAT for benefit of users coming in from:
Zone: Outside
to DNAT IP of 23.1.2.100
For the NAT policy rule:
Original Packet
Source Zone: Outside
Dest Zone: Outside
IP: 23.1.2.100
Translated Packet for DNAT
10.30.0.100
Security Rule allowing incoming traffic:
Source Zone: Outside (Where clients are connecting from)
Destination Zone: DMZ (Zone where server really is)
Destination IP: 23.1.2.100 (Pre DNAT IP)
Whenever you come to Mumbai in india would love to host you.
Thank you Altaf Khan!
WTH did you just say? WHAT??