Palo Alto Networks: How to configure NAT to change the port for the server to go out to the internet with IP Wan as a dynamic IP

1. Purpose of the article

In network administration, the need to nat a server to the internet is essential for remote administration.

But how can you connect devices to the internet when they all use the same administrative access port ?

In this article, techbast will guide you on how to configure Nat to change the port so that we can perform nat servers to the internet even though they share the same administrative port.

In addition, the article also guides how to configure DDNS on Palo Alto devices to provide us with a solution when we use the internet with dynamic IP.

2. Network diagram

Details:

  • As the diagram of the Palo Alto firewall device will be connected to the internet by PPPoE protocol at port E1/1 with a dynamic IP of 14.169.x.x
  • Inside of Palo Alto is the LAN layer with a static IP address of 172.16.31.1/24 set to port E1 / 5. On port E1/5 configured DHCP Server to allocate IP to the devices connected to it.
  • Next, is a VMware ESXi Server located in the LAN layer with IP address 172.16.31.10/24 and this VMware Exsi Server is managed by web with HTTPS protocol.
  • Finally, the computer outside the internet, this computer can be anywhere on the internet.

3.Configuration scenarios

As you can see both the Palo Alto firewall admin page and the VMware ESXi server use port 443 to access it.

Therefore, if we do NAT 1:1, we will only be able to connect 1 of 2 devices to the internet.

So in this article techbast will make the VMware ESXi server go out to the internet using port 442 so that the administrator can access the admin page of both devices.

When we use it, there will be a problem that is because the device’s IP wan is dynamic IP which can change at any time making our initial configuration no longer effective.

So in this article, in addition to the nat port configuration guide, we will use the dynamic DNS service to give us an optional domain name and that domain will help us automatically update the wan IP when it changes.

4.Step to take

  • Configure DDNS
  • Create Address Objects
  • Create Service Objects
  • Create NAT rule
  • Create Security policy
  • Result

5.Configuration

5.1 Configure DDNS

  • First, to use the DDNS service we will need to create an account, in this article the DDNS service will use is no-ip.
  • To create account, go to the following link https://www.noip.com/.
  • After successfully creating or logging in with the noip account we will create a noip hostname.
  • To create noip hostname go to Dynamic DNS> No-IP Hostnames> Create Hostname.
  • The Create a Hostname table appears, enter the following information :
    • Hostname : name that you want, here will be vacifcoltd.
    • Domain : select ddns.net.
    • Record type : select DNS Host (A).
    • IPv4 Address : enter ip wan, here enter is 14.169.x.x
  • Click Create Hostname .
  • DDNS vacifcoltd.ddns.net have created.
  • Next step we need to configure DDNS for ethernet1/1 internet port.
  • Để cấu hình DDNS cho port Ethernet1/1 chúng ta cần tạo certificate, để tạo vào Device tab > Certificate Management > Certificates > Generate và điền các thông tin sau :
    • Certificate Type : select Local
    • Certificate Name : enter certificate name here we enter CA_VPN.
    • Common Name : enter the hostname created on the page noip is vacifcoltd.ddns.net.
    •  In the Certificate Attributes table, click Add, choose Host Name in Type and enter vacifcoltd.ddns.net in the Value column.
  • Click Generate.
  • Next we will configure DDNS for ethernet1 / 1 port, to configure on Network> Interfaces> select ethernet1/1> Advanced> DDNS and configure according to the following parameters:
    • Check Setting và Enable.
    • In Certificate Profile click on the drop-down menu select New Certificate Profile> The Certificate Profile panel appears, enter the name in the Name section VPN_Cer> in the CA Certificates section select Add> The Certificate Profile panel appears, select CA_VPN just created in the CA Certificate box and click OK 2 times to complete.
    • In the Hostname section: enter the hostname created on the noip as vacifcoltd.ddns.net.
    • Vendor : select No-IP v1.
    • After choosing Vendor, enter the account and password you created on the No-IP page in the table below.
  • Click OK.

5.2 Create Service Objects

We need to create service objects for port 442, to create them in Objects > Services.

Click Add and create according to the following parameters:

  • Name: Port_442
  • Protocol: TCP
  • Destination Port: 442
  • Click OK to save.

5.3 Create Address Objects

  • We will create 2 address objects, Server-public 1, where the ip address is the WAN port address of the device 14.169.x.x and the webserver-private is the IP address of the internal Web server.
  • To Create go to Objects > Addresses > click Add and enter the following information :
    • Name : Server-public 1
    • Type : FQDN – vacifcoltd.ddns.net
  • Click OK.
  • Click Add again to create address object for web server :
    • Name : webserver-private
    • Type : IP Netmask – 172.16.31.10
  • Click OK.

5.4 Create NAT Rule

  • To create NAT rule go to Policies > NAT > Click Add.
  • In General tab configure with the following information :
    • Name: Nat_Server
    • Type: ipv4
  • In tab Original Packet enter the following parameters :
    • Source Zone: WAN
    • Destination Zone: WAN
    • Destination Interface: ethernet1/1
    • Service : Port_442
    • Source Address: Any
    • Destination Address: Server-public 1
  • In the Translated Packet tab, the Destination Translation section is configured as follows:
    • Translation Type: Static IP
    • Translation Address: 172.16.31.10
    • Translation Port: 443
  • Click OK.

3.4 Create Security policy

  • Create a Security policy to allow traffic from the WAN area to go into the LAN area.
  • Go to Policies > Security > Click Add.
  • In General tab configure with the following parameters :
    • Name: Webserver access
    • Rule Type: universal (default)
  • Source tab :
    • Source Zone : WAN
    • Source Address : Any
  • Destination tab :
    • Destination Zone : LAN
    • Destination Address : Server-public 1
  • Application tab :
    • Select Any
  • Service/URL Category :
    • Select Port_442 service and Any
  • Action :
    • Log Setting : select Log at Session End
    • Action Setting : Allow

3.4 Result

After configuring the necessary policies we will use a computer outside the internet to access the internal server by IP Wan with port 442 and the result is as follows.

We were able to access the server successfully using port 442 from the internet.

  • In addition, we can also access the firewall’s admin page using port 443 as usual.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.