[Music] foreign example of configuring and verifying destination net on the Palo Alto firewall and once again we're going to leverage an existing configuration that already exists as part of the 0-60 playlist and we're just going to add on top of it so let's imagine we have an additional interface here that we're using let's go ahead and use one slash two and let's connect that to the network 10.30.0.0 with a 24-bit mask and let's go ahead and Associate that with a Zone called the DMZ so let me add that here I'll put a little yellow and that'll be the DMZ Zone and let's put a server there at dot 100. I've got a little Windows Server running IIs providing basic web services right there so its address is 10.30.0.100 so for this demo as we talk about destination Nat what exactly does that mean well destination map means that on the initial flow of traffic let's imagine if we have a client out here on the internet who's trying to reach a server that's located on this DMZ when that client initially connects to whatever globally relative address we use for that translation on the initial flow of traffic we're going to take that destination IP address and swap it over to this destination IP address of this server and then when the replies go back from the server it's untranslated back to its original address so the concept of destination that means we're swapping out the destination IP address on the initial flow of traffic so as far as a game plan here in my lab environment let's use 23.1.2.100 and if a client does connect with HTTP to that IP address what we want the firewall to do is to swap out the destination IP address over to this one of 10.30.0.100 for the server and then for the traffic so in addition to having our destination app policy rule in place we also need to set up a security policy rule that permits that flow of traffic so far security policy rule let's allow ping traffic and SSL which effectively is https and will also allow web browsing which in the Palo Alto World represents HTTP traffic with TCP Port 80. now before we demo this configuration I also want to point out a couple of light differences between the NAT policy which is doing the address translation and the security policy that's allowing the traffic to go through in the net policy when we go to the tab for the original packet we're going to talk about the source packets and Source information before any translation has gone on so that would include this globally routable address that goes to the server at 23.1.2.100 and the client's IP address so I'll drop down prenat there and also from a routing perspective all those IP addresses the client's Source IP address and the destination IP address of the server all those addresses are associated with the outside zone so in that rule regarding the original packet we're going to specify the prenat addresses and the pre-net zones so as an example of this for the original packet the destination would be the 23.1.2.100 arrests that's the pre-nat IP address and that pre-net IP address is associated with the outside Zone again just think of it from a routing perspective if the firewall was going to forward to that IP address which interface would it use and based on that interface which zone does that interface belong to in this topology G is the outside Zone and then for our security policy role that permits that traffic on the source tab for that security policy rule we're also going to use pre-nat IP addresses and for the destination tab we're going to be using prenat IPS but for the actual zones involved for permitting that traffic we are using the postnat zone so whatever Zone this IP address of 10 300 is really in in this case it's going to be on our DMZ that's what we specify there so pre-net IP and postnat zone for the security policy Rule and I just realized that I don't have this one slash two interface currently set up so let's set up this one slash two interface on the firewall and then we'll proceed to set up the destination Nat and the security policy and then we can test it from a client here in my lab environment on my little pseudo internet right here so here at the firewall let's start by going to network and interfaces and with the ethernet sub tab selected I'm going to use ethernet one slash two so we'll select that we'll specify the interface type is going to be a layer three so we'll select that from the drop down the Virtual Router It's associated with is how our Virtual Router and security zone is going to be the DMZ it doesn't exist yet so we'll click here on new Zone and we'll create it we'll name it DMZ click on OK and then for its ipv4 address we'll click on the ipv4 tab here click on ADD and we'll give it 10.10.0.19 with a 24-bit mask just like that and also just for Grants let me go to the advanced Tab and let me associate a management profile that allows pings we can do some basic connectivity testing should we need to and then we'll click on OK alright so that's in the candidate config I also am physically going to plug in this port one slash two into the appropriate VLAN supporting the 10.30 address oh look at that I gotta put the right address there let me edit that one more time one slash two force of habit we'll go back to ipv4 and we want 10.30 not 10.10 because if I try to use the 1010 address space twice and I'm not using virtual firewalls it would complain that the same subnet is being associated with two different interfaces all right that looks better we'll click on OK and before we're done I'll also physically plug that one slash two into the VLAN 30 which is supporting that 1030 Network address space so now that we have the interface configured let's configure the destination that and also the security policy rule to allow traffic from a client out here on the internet to reach that server via this global address so let's begin with our Nat policy so we'll click on policies on the left we'll click on that and here we have some Source map from previous videos so we'll click on ADD and we'll create a new destination that rule and I'm going to name this dnap for Server so for the original packet everything here is going to be based on pre-net addresses think of the global address space 23.1.2 Etc so let's click on ADD here the source zone for that address space would be the outside Zone and the destination address would be our server so I'm going to add that next we'll click on ADD and I'm just going to plug it in at 23.1.2.100 we could also create an address object no problem the source the rest could be anywhere on the internet so I'll leave that as any and for the destination Zone associated with this destination address from a routing perspective that would also be associated with the outside zone so click here on the drop down select outside again pre-nat zones and pre-net IP addresses on the original packet tab for a nap policy Rule and for the destination interface I'm going to say it's coming in through service provider a on ethernet one slash four and over here in the destination address translation section from the drop down we'll say static IP and we want to map that to the internal address of 10.30.0.100 and click on OK so there's our destination net Rule and then secondly we want a security policy that permits the initial flow of traffic if it's ping HTTP or https to do that with policies still selected we'll click on security on the left and we'll create a new security policy rule that allows that initial flow of traffic from the outside over to our DMZ so we'll click on ADD and we'll call this permit to server on DMZ so here on the source tab we're going to specify pre-net information so the client would initiate their traffic coming into the firewall on the outside side their Source address could be anywhere on the internet and here on the destination tab we're going to be using the prenat IPS for the destination address but the postnat Zone think of the Zone here in the security policy rule like the Zone where that device that server really lives so for the destination address we'll click on ADD and I'll do the pre-net IP address which is 23.1.2.100 that's the IP address server and the postnat Zone which is the actual Zone where the server is which is the TMZ and for the application will allow ping so we'll click on ADD type in ping we'll click on ADD again and allow SSL select that and let's also allow web browsing effectively HTTP so we'll do web Dash browsing and select that and we'll use the default ports associated with those applications and we'll click on actions and we'll allow that and we're doing login great great and we'll click on OK so in our security policy rule we're permitting ping SSL and web browsing if traffic is sourced coming into the firewall on the outside Zone and that traffic is going to to the DMZ and then if the destination address is the global or pre-net address that Maps over with the destination at over to our server so let's go ahead and commit that and we'll confirm that with another commit and what I'll do is I will plug the port ethernet one slash two into VLAN 30. all right that commit is done let me click on close let me also just go back to network and we'll click on interfaces and ethernet so I verify also that Port is now up and ready to go so hear from the client let's do a test to 23.1.2.100 to verify that both our destination net and our security policy rules are working to allow initial traffic for Ping and HTTP from this client to the server on our DMZ so here is a client computer that verify its IP address with an ifconfig this is a Linux computer and it is 23.1.2.61 and let's see if we can ping the global address that leads down to our server that's at 23.1.2.100 press enter and survey says it's working fantastic so those pings are flying we'll go ahead and Ctrl C there let's also try a browser so we'll open up a browser on this client computer and we'll go to 23.1.2.100 press enter and it should be the web page for internet Information Services which is the default page on my web server on that DMZ fantastic so in this video we've done three basic things we set up a DMZ we set up a destination at rule we also set up permissions to allow that destination net to be used and I look forward to seeing you my friend in another video very very soon