In this blog post, I will show you how to configure NAT on Palo Alto Firewalls. One of the main functions of the NAT is to translate private IP addresses to globally-routable IP addresses, thereby conserving an organization’s routable IP addresses.
NAT examples in this section are based on the following diagram.
Palo Alto Configurations
- USERS zone : 10.10.10.0/24
- DMZ zone : 172.16.1.0/24
- OUTSIDE zone : 22.214.171.124/28
- public user has an IP of 126.96.36.199
Source NAT - Dynamic IP and Port
Source NAT is used for translating private IP address to a public routable address by changing the source address of the packets that pass through the Firewall.
Source NAT allows connections to be initiated only for outgoing network connections for example, from a private network to the Internet.
Let's configure source NAT, so the users can go out to the Internet
- Source NAT with Dynamic IP and port - When the traffic leaves the firewall the
source IPis translated from
OUTSIDE IP addressof the Firewall (188.8.131.52)
- Security rule allowing
Destination NAT is performed on incoming packets when the firewall translates a public destination address to a private destination address.
In this example, we have a web-server which is reachable from the Internet via Firewall's OUSIDE IP of 184.108.40.206. When the traffic hits the Firewall, the destination IP is translated to the private IP of
Please remember that you also need corresponding Security Rule to allow
http traffic from the Internet to the
Let's configure Destination NAT, so the public users can access the web-server
- Destination NAT - When the traffic arrives on the firewall the
destination IPis translated from
- Security rule allowing
httptraffic from the Internet.
Please note that I deleted the
destination NATI created in the previous step to demonstrate Bi-Directional NAT.
Let's assume that the web-server needs Internet access to update the packages time to time. So, we need to create a Source NAT (either Dynamic IP and port or static NAT). The web-server also needs to be accessible from the Internet which requires Destination NAT.
We can either create two separate NAT rules or use Bi-Directional NAT. Bi-Directional NAT rule creates two rules, one for Source NAT and one for Destination NAT. So, when the web-server goes out to the Internet, the source IP is translated to the Public IP of the Firewall. On the other hand, if anyone initiates inbound connection to the web-server's public IP, the destination IP is translated to the private IP assigned to the web-server's NIC.
In this example, instead of using Firewall's
OUTSIDE interface IP, I'm going to use a different IP - 220.127.116.11
As you can see above,
web-server can reach out to the Internet and public users can access the
web-server on port 80.
U-Turn NAT refers to a Network where Internal users need to access an Internal server using the server’s external public IP address.
Let's say the users in the USERS zone need to access the web-server using it's public IP address of 18.104.22.168
Please note that you may have to move the U-Turn NAT to the top, otherwise the traffic will match against the
dynamic-NAT for USERS NAT policy.
Thanks for reading.
As always, your feedback and comments are more than welcome.