Tag Archives: dmz

Firewall, Palo Alto

Configure Palo Alto to allow inside DMZ (FTP server)

So DMZ
In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. so today i will show you how to allow your customer to comeĀ  inside to your FTP Server
first i Configure my Ethernet 1/1 with the Public IP Address 37.76.249.42
Go to Networks – Interface – Ethernet Edit
Change type to Layer 3, Configure Virtual Router and Zone (Outside)0
Then go to IPv4 and configure an IP Address of 37.76.249.42/270aThen Configure Ethernet 1/2 for DMZ gateway
Change type to Layer 3, Configure Virtual Router and Zone (DMZ)1
Then go to IPv4 and configure an IP Address of 192.168.250.250/242
Now the most important step is to configure NAT Policy
Go to Policies – NAT – Add new
I choose name : NatMyFTPServer3
Choose your
Source Zone (DMZ)
Destination Zone (Outside)
Destination interface (Ethernet 1/1)
then i have to add my Source Address so Click on Address4
Choose a name (MyFTPServer)
Type : IP Netmask
Put the Local IP Address (192.168.250.16)5
And it’s added
and btw in case you have many Server that serve different services and only one Public IP you can adjust the services to be one for FTP, second for HTTPS and one for Remote access which consider as (Static Nat with Port Translation )
but in our case its only one server to one public ip
6
Now go to Translated Packet
Translated type: static IP
and Type the translated Address which is the public IP Address i Configure Earlier and to make sure translation go both way checkĀ  the box Bi-directional7
Now Finally let’s configure Security Policy Rule
Let me Educate you here (The Policy always is The destination Zone is Post-NAT and the Destination IP is Pre-NAT)
so you destination after the NAT is the DMZ
and your destination IP is the Pre-NAT which is your public IP Address
Confusing i know but it took me 2 years to understand it thanks to a friend of mine (Adel ;D)
Go to Policies – Security policy – Add new
Choose a Name and Rule Type as (interzone)8
Select the Source as Outside since the traffic coming from outside9
Configure the Destination as (DMZ) zone and Destination Address is your Public IP Address
10
You can custom the Application and Service/URL Category to Allow FTP Service only but since this is a Lab just select any
Select Any in Application11
Also here in case you have many Server that serve different services and only one Public IP you can adjust the services to be one for FTP, second for HTTPS and one for Remote access which consider as (Static Nat with Port Translation )
but since we have one server select Any in Service/URL Category Tab12
Then select Allow as an action for this traffic13
Now in my laptop i install 3CDaemon which a great FTP server and Choose the Upload/Download Directory in my D:\IOS\ which contain my files.
I also configure a profile (Aysar) so i can use this as my login instead of anonymous13b
And now for the BIG Test
from any Customer PC i open cmd and go to ftp to the public IP Address of the FTP Server
and as you see Authentication went well14
Just type
dir
which list all the file under my D:\IOS\15

;D

Standard