Work environment
- PA-200
- Version 8.1.19
Application order of each process in Palo Alto
When configuring NAT with PaloAlto, remember the order in which each process is applied.
In other words, the order is as follows.
- Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone.
- Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone.
- It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones.
- Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers.
NAT configuration with GUI
If you want to configure NAT in the GUI, open the [Policies > NAT] screen and click Add.

[General] tab

[Original Packet] tab

[Translated Packet] tab




If you set Type to Static IP in Source Address Translation, you will see the Bi-directional option.
Test environment
Consider Ping communication between client A and client B across the PA-200 as shown in the image below.

The interface settings of PA-200 are as shown in the image below.

Create the address object used for NAT configuration in advance.

The policy is configured as shown in the image below to allow two-way communication.

Source NAT (Bi-directional option enabled)
Configure source NAT with the following requirements:
- If Client B communicates to the Untrust zone, translate Client B’s IP address 10.2.0.100 to 10.1.0.100.
- Enable Bi-directional option
- To enable the Bi-directional option, set the translated source IP type to static IP.

As a test configuration, NAT configuration is performed as shown in the image below.

After configuration, ping Client B to Client A’s IP address 10.1.0.100.
Packet capture on Client A

You can see that the source IP is 10.1.0.10.
Packet capture on Client B

Operation check of Bi-directional option
If you enable the Bi-directional option, you can perform destination NAT for communication from the Client A side. In other words, when Client A communicates to 10.1.0.10, the destination is translated to 10.2.0.100.

Try to ping from Client A to 10.1.0.10.
Packet capture on Client A

Packet capture on Client B

From the packet capture in Client B, you can see that the destination has been translated to 10.2.0.100.
Destination NAT
Configure the destination NAT with the following requirements:
- When communicating from Client B to 10.2.0.10, the destination is translated to 10.1.0.100.

As a test configuration, NAT configuration is performed as shown in the image below.

- Set the destination zone as Trust based on the source IP before translation.
Packet capture on Client A

From the packet capture on Client A, you can see that the destination has been translated to 10.1.0.100.
Packet capture on Client B

NAT operation check by test command
You can check the NAT operation by using the test command without actually generating communication.
The command is as follows.
> test nat-policy-match from <from-zone> to <to-zone> source <source-ip> destination <dest-ip> destination-port <dest-port> protocol <protocol-type>
<protocol-type>
- 1: ICMP
- 6: TCP
- 17: UDP
Execution example
admin@PA-200> test nat-policy-match from Trust to Trust source 10.2.0.100 destination 10.2.0.10 destination-port 9999 protocol 6
Destination-NAT: Rule matched: NAT_01
10.2.0.10:9999 => 10.1.0.100:9999
NAT session confirmation command
You can check the source / destination IP information before / after translation of the current session by executing the show session all
command.
admin@PA-200> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
5510 ping ACTIVE FLOW ND 10.2.0.100[1]/Trust/1 (10.2.0.100[1])
vsys1 10.2.0.10[5425]/Untrust (10.1.0.100[5425])
5508 ping ACTIVE FLOW ND 10.2.0.100[1]/Trust/1 (10.2.0.100[1])
vsys1 10.2.0.10[5423]/Untrust (10.1.0.100[5423])
5507 ping ACTIVE FLOW ND 10.2.0.100[1]/Trust/1 (10.2.0.100[1])
vsys1 10.2.0.10[5422]/Untrust (10.1.0.100[5422])
5509 ping ACTIVE FLOW ND 10.2.0.100[1]/Trust/1 (10.2.0.100[1])
vsys1 10.2.0.10[5424]/Untrust (10.1.0.100[5424])
Comments