Palo Alto: How to configure NAT a server’s service port to the internet in a 2-layer external and internal firewall model

1.The purpose of the article

In this article, techbast will guide how to perform NAT for a server service to the internet in a system with two firewall devices external and internal.

2.Diagram

Details:

External Firewall.

  • The PPPoE internet connection is configured at ethernet1/1 port with a static IP of 10.150.30.120.
  • The LAN is configured at ethernet1/2 port with IP 10.145.41.1/24 and has DHCP configured.

Internal Firewall:

  • The ethernet1/1 port on the Internal Firewall is the WAN port and will connect to the ethernet port1/2 of the External Firewall.
  • The Internal Firewall’s ethernet1/1 port has a static IP of 10,145.41.50/24 and points the gateway to IP 10.145.41.1/24.
  • The Internal Firwall’s LAN is configured at ethernet1/2 port with IP 10.0.0.1/24 and configured with DHCP.
  • Finally, a Windows Server server with IP 10.0.0.52/24 is running the ManageEngine Event Log software and the software’s administration page uses port 8400 to access it.

Ngoài internet:

  • Thegioifirewall prepares a Windows-based computer in the internet environment that is used to check NAT results after configuration.

3.Scenario

Techbast will configure the NAT port on two Palo Alto firewall devices so that the administrator can access the management page of the ManageEngine Event Log software using port 8400 from outside the internet.

4.Step to take

External Firewall:

  • Create service objects for port 8400
  • Create NAT policy.
  • Create Security Policy.

Internal Firewall:

  • Create NAT policy.
  • Create Security Policy.

Result.

5.Configuration

5.1.External Firewall

5.1.1.Create service objects for port 8400

To create, go to Objects > Services > click Add.

Create with the following parameters:

  • Name: ManageEngine_Event_Log.
  • Protocol: TCP.
  • Destination Port: 8400.

5.1.2.Create NAT policy.

We will create a NAT policy so that the NAT IP WAN of the internal firewall is 10,145.41.50 with the newly created ManageEngine Event Log service on the internet.

To create a NAT policy, go to Policies > NAT > click Add.

Create with the following parameters.

Tab General:

  • Name: NAT_ManageEngine_Event_Log_service.
  • NAT Type: ipv4.

Tab Original Packet:

  • Source Zone: WAN.
  • Destination Zone: WAN.
  • Destination Interface: ethernet1/1.
  • Service: Select service objects ManageEngine_Event_Log.
  • Destination Address: Enter the external firewall’s WAN IP as 10.150.30.120.

Tab Translated Packet:

  • Translation Type: select Static IP.
  • Translated Address: Enter the internal firewall’s WAN IP as 10,145.41.50.
  • Translated Port: enter 8400.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.3.Create Security Policy

By default, the firewall will block traffic from outside the internet from entering the internal network.

So if we want the NAT policy we just created to work we need a security policy to allow it.

To create, go to Policies > Security > Click Add.

Create with the following parameters.

Tab General:

  • Name: Allow_NAT_ManageEngine_Event_Log_policy.
  • Rule type: universal (default).

Tab Source:

  • Source Zone: WAN.

Tab Destination:

  • Destination Zone: LAN.
  • Destination Address: Enter External Firewall’s WAN IP as 10.150.30.120.

Tab Service/URL Category:

  • At Service click Add and select service Objects ManageEngine_Event_Log.

Tab Actions:

  • Action: select Allow.
  • Log Setting: select Log at Session End.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.Internal Firewall

5.2.1.Create service objects for port 8400

To create, go to Objects > Services > click Add.

Create with the following parameters:

  • Name: ManageEngine_Event_Log.
  • Protocol: TCP.
  • Destination Port: 8400.

5.2.2.Create NAT policy.

We will create a NAT policy so that the NAT IP of the ManageEngine Event Log server is 10.0.0.52 with the newly created ManageEngine Event Log service to the external firewall.

To create a NAT policy, go to Policies > NAT > click Add.

Create with the following parameters.

Tab General:

  • Name: NAT_ManageEngine_Event_Log_service.
  • NAT Type: ipv4.

Tab Original Packet:

  • Source Zone: WAN.
  • Destination Zone: WAN.
  • Destination Interface: ethernet1/1.
  • Service: Select service objects ManageEngine_Event_Log.
  • Destination Address: Enter the internal firewall’s WAN IP as 10,145.41.5.

Tab Translated Packet:

  • Translation Type: Static Static IP.
  • Translated Address: enter the server’s IP as 10.0.0.52.
  • Translated Port: enter 8400.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.3.Create Security Policy

By default, the firewall will block traffic from outside the internet from entering the internal network.

So if we want the NAT policy we just created to work we need a security policy to allow it.

To create, go to Policies > Security > Click Add.

Create with the following parameters.

Tab General:

  • Name: Allow_NAT_ManageEngine_Event_Log_policy.
  • Rule type: universal (default).

Tab Source:

  • Source Zone: WAN.

Tab Destination:

  • Destination Zone: LAN.
  • Destination Address: Enter the Internal Firewall’s WAN IP as 10,145.41.50.

Tab Service/URL Category:

  • At Service click Add and select service Objects ManageEngine_Event_Log.

Tab Actions:

  • Action: select Allow.
  • Log Setting: select Log at Session End.
  • Click OK.

5.3.Result

Techbast will use a computer outside of the prepared internet environment for testing.

Open any web browser and access the ManageEngine Event Log admin page using the External Firewall’s WAN IP and port 8400.

The result is a successful access.

So techbast showed you how to NAT an internal server service to the internet with a 2-layer firewall model, external and internal firewall.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.