In this blog post, I will show you how to configure NAT on Palo Alto Firewalls. One of the main functions of the NAT is to translate private IP addresses to globally-routable IP addresses, thereby conserving an organization’s routable IP addresses.

NAT examples in this section are based on the following diagram.

diagram

Palo Alto Configurations

  • USERS zone : 10.10.10.0/24
  • DMZ zone : 172.16.1.0/24
  • OUTSIDE zone : 200.10.10.0/28
  • public user has an IP of 195.10.10.10

Source NAT - Dynamic IP and Port

Source NAT is  used for translating private IP address to a public routable address by changing the source address of the packets that pass through the Firewall.

Source NAT allows connections to be initiated only for outgoing network connections for example, from a private network to the Internet.

Let's configure source NAT, so the users can go out to the Internet

  1. Source NAT with Dynamic IP and port - When the traffic leaves the firewall the source IP is translated from 10.10.10.x to the OUTSIDE IP address of the Firewall (200.10.10.10)
  2. Security rule allowing PING
nat policy
security-rule
source NAT

Destination NAT

Destination NAT is performed on incoming packets when the firewall translates a public destination address to a private destination address.

In this example, we have a web-server which is reachable from the Internet via Firewall's OUSIDE IP of 200.10.10.10. When the traffic hits the Firewall, the destination IP is translated to the private IP of 172.16.1.1o

Please remember that you also need corresponding Security Rule to allow http traffic from the Internet to the web-server

Let's configure Destination NAT, so the public users can access the web-server

  1. Destination NAT - When the traffic arrives on the firewall the destination IP is translated from 200.10.10.10 to 172.16.1.10
  2. Security rule allowing http traffic from the Internet.
nat policy
security rule
destination NAT

Bi-Directional NAT

Please note that I deleted the destination NAT I created in the previous step to demonstrate Bi-Directional NAT.

Let's assume that the web-server needs Internet access to update the packages time to time. So, we need to create a Source NAT (either Dynamic IP and port or static NAT). The web-server also needs to be accessible from the Internet which requires Destination NAT.

We can either create two separate NAT rules or use Bi-Directional NAT.  Bi-Directional NAT rule creates two rules, one for Source NAT and one for Destination NAT. So, when the web-server goes out to the Internet, the source IP is translated to the Public IP of the Firewall. On the other hand, if anyone initiates inbound connection to the web-server's public IP, the destination IP is translated to the private IP assigned to the web-server's NIC.

In this example, instead of using Firewall's OUTSIDE interface IP, I'm going to use a different IP - 200.10.10.5

Bi-Directional NAT rule
Bi-Directional Security Rule

As you can see above, web-server can reach out to the Internet and public users can access the web-server on port 80.


U-Turn NAT

U-Turn NAT refers to a Network where Internal users need to access an Internal server using the server’s external public IP address.

Let's say the users in the USERS zone need to access the web-server using it's public IP address of 200.10.10.5

u-turn nat rule
u-turn sec rule

Please note that you may have to move the U-Turn NAT to the top, otherwise the traffic will match against the dynamic-NAT for USERS NAT policy.


Thanks for reading.

As always, your feedback and comments are more than welcome.

Reference

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/configure-nat