NAT rules on palo alto

 Making a note because its a bit different to cisco ASA

NAT rule

OUTSIDE > OUTSIDE 

Public src > Public dst

FW rule 

OUTSIDE > INSIDE (counted as inside because of the NAT)

Public src > Public dst

can't ping SVI interface on remote switch across S2S VPN

 Had an issue could ping vlan1 (LAN) SVI but not vlan146 (VOICE)

The setup was

LAN client -> L2 VL1 -> L3 SVL VL1 -> Inside ASA -> S2S VPN -> HQ 

Phone client -> L2 VL146 -> L3SVI VL146 -> L3 SVI 1 -> Inside ASA-> S2S VPN -> HQ -> Phone server

I found some messed up NAT's

Removed the global

object network obj_any

 nat (any,outside) dynamic interface

The NoNat had a missing object in the destination

nat (voice,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

Also needed this NAT on the INSIDE with the 146 networks to ping the SVI. This is becuase the route to the HQ network is through the inside interface of the ASA.

nat (inside,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

NAT on palo alto firewall

 I find switching from ASA to palo alto NAT confusing because they work in a different way and I've worked on ASA for so long.

nat rule (to nat traffic)

outside -> outside

Destination address is customer public IP: 100.200.200.114

Destination translations address is inside IP of the server: 192.168.0.1

policy rule (to allow traffic)

outside -> inside

Source IP is outside source public 8.8.8.8

inside destination IP is the public IP: 100.200.200.114

The main thing there is a public IP NAT is outside to outside on palo. On ASA its outside to inside for a public IP NAT.

• Source zone: outside
• Destination zone: outside
• Destination interface: eth1/1 (outside)
• Source add: any
• Destination address: 100.100.100.50 (public IP of server)
• Service: port 443
• Source translation: "none"
• Destination Translation:
• destination-translation (translation type "static IP")
• address: 192.168.100.50 (inside IP)
• port: 443

global NAT on cisco FMC

Devices -> NAT

Edit NAT pol

Add rule button

NAT rule: Auto NAT rule

Type: Dynamic

Interface, set inside -> outside

Translated destination interface IP

show all NAT's for a public IP on palo alto firewall CLI

 show session all filter nat destination | match 100.200.200.10

destination NAT on cisco ASA over VPN

My DMZ = 100.64.0.0 /24
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.

Decided to use 172.22.20.10 as a NAT IP.


Changes on my side

object-group network MY_LAN
 network-object 100.64.0.0 255.255.255.0

object-group network NAT_NET
 network-object 172.22.20.0 255.255.255.0

Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET

no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup

Customer side:

Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN

HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24

nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN

I could ping 172.22.20.10 and it responded.

static port nat on cisco router

Label your interfaces
int dialer 1
ip nat outside

int inside
ip nat inside

ip nat inside source static tcp 192.168.4.10 8080 interface dialer 1 8080


This will nat the public IP of dialer1 port 8080 to 192.168.4.10 port 8080

source NAT on juniper SSG

I wanted to source NAT my traffic so it appears to come from 10.58.x.x range so it could go over my VPN.

I was able to do this with a DIP on juniper. The DIP must be created on the tunnel interface which is attached to the VPN that we want to travel over.

Since the tunnel interface is unnumbered I confgured the extended IP

10.58.254.1 /24 (I know this range is free)

For the DIP range I gave 10.58.254.2 - 10.58.254.254

set interface tunnel.4 ext ip 10.58.254.1 255.255.255.0 dip 4 10.58.254.2 10.58.254.254

You need a policy to allow the traffic and do the NAT.
The policy should be at the top so other rules won't overlap/interfere.

set policy id 123 from "Trust" to "Untrust" "LOCAL_NETS_2_NAT" "REMOVE_VPN_NETS" "ANY" nat src dip-id 4 permit log

The 10.58.x.x/16 network already had a policy to allow the traffic and was already in the encryption domain.

Did a debug flow basic and it seems to have worked, will test now.

WebGUI

Network -> Interfaces -> Edit tunnel.4

DIP tab  -> New 

Fill in IP range 10.58.254.2 - 10.58.254.254

Select port translation

Select in the same subnet as the extended IP fill in 10.58.254.1/24

Create you NAT policy

Policy -> Policies

Select source and destination networks

Service = ANY

Action = Permit

Click Advanced button

Tick Source Translation

Select the DIP you created on tun.4 

Click ok

investigating NAT issues on checkpoint firewalls

In Network Objects (bottom left)
Right click Nodes -> More -> Query Objects
Refine by: Search by IP

Double click on the object and check the NAT section for auto NAT

Also you can do Actions -> Where used -> Active policy
Look for any manual NAT's here

Try the traffic while watching the logs in the tracker
You can add the columns xlatesrc and NAT rule into the tracker
Also you can double click the log entry and get more details on the NAT rule and xlated source

Auto NAT's are processed first
Manual NAT's second


In some cases you may need to add and arp

SSH to CLI of CP firewall

clish 

show configuration

Looks for arp

add arp proxy ipv4-address x.x.x.x. interface eth1-02 real-ipv4-address y.y.y.1

x.x.x.x is the IP of your server

y.y.y.y is the IP of your gateway

Static NAT on checkpoint

https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm

Create your objects
Edit properties on inside object
Configure Static NAT with public IP
Install policy
Configure ACLs to allow the traffic
Install polucy

Allowing external access to a webserver on the usual ports on Cisco ASA

Had to restrict access to a web app, figured it would be useful to leave this here

Setup the object 

object network obj-172.20.50.50
 host 172.20.50.50

Setup the static NAT

object network obj-172.20.50.50
 nat (INSIDE,OUTSIDE) static 200.100.200.300

Setup the group of hosts who are allowed access (you can use any if you want the internet to have access but I want to restrict)

object-group network MYWEBAPP_HOSTS_ALLOWED_IN
 network-object host 80.70.60.50
 network-object host 90.100.200.50
 network-object host 100.123.123.123

Set up the group of ports you want to allow access

object-group service PORTS_80_AND_443 tcp-udp
 port-object eq 80
 port-object eq 443

Add an entry to the outside access-list
access-list OUTSIDE_IN extended permit tcp object-group MYWEBAPP_HOSTS_ALLOWED_IN 172.20.50.50 object-group PORTS_80_AND_443

can't get to servers with a static NAT from internal servers in other DMZ's

This was the NAT method I was using:
nat (INSIDE,OUTSIDE) source static obj-172.20.100.140 obj-172.20.100.140 destination static OBJ-200.100.100.200 OBJ-200.100.100.200 no-proxy-arp route-lookup

The above has worked fine for me before in many situations but I had an issue that I couldn't connect to servers with a static NAT because the firewall was trying to get to the Public IP.

Had to change to this NAT method

Make sure you have your object is set up

object network obj-172.20.100.140
 host 172.20.100.140

This does the static NAT

object network obj-172.20.100.140
 nat (INSIDE,OUTSIDE) static 200.100.100.200

This NAT is processed at the right time so internal servers can get to the server but it still has it's static NAT.