[PaloAlto] Simple configuration example of source and destination NAT

Firewall (UTM)

Work environment

  • PA-200
    • Version 8.1.19

Application order of each process in Palo Alto

When configuring NAT with PaloAlto, remember the order in which each process is applied.

In other words, the order is as follows.

  1. Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone.
  2. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone.
  3. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones.
  4. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers.

NAT configuration with GUI

If you want to configure NAT in the GUI, open the [Policies > NAT] screen and click Add.

[General] tab

[Original Packet] tab

[Translated Packet] tab

If you set Type to Static IP in Source Address Translation, you will see the Bi-directional option.

Test environment

Consider Ping communication between client A and client B across the PA-200 as shown in the image below.

The interface settings of PA-200 are as shown in the image below.

Create the address object used for NAT configuration in advance.

The policy is configured as shown in the image below to allow two-way communication.

Source NAT (Bi-directional option enabled)

Configure source NAT with the following requirements:

  • If Client B communicates to the Untrust zone, translate Client B’s IP address 10.2.0.100 to 10.1.0.100.
  • Enable Bi-directional option
    • To enable the Bi-directional option, set the translated source IP type to static IP.

As a test configuration, NAT configuration is performed as shown in the image below.

After configuration, ping Client B to Client A’s IP address 10.1.0.100.

Packet capture on Client A

You can see that the source IP is 10.1.0.10.

Packet capture on Client B

Operation check of Bi-directional option

If you enable the Bi-directional option, you can perform destination NAT for communication from the Client A side. In other words, when Client A communicates to 10.1.0.10, the destination is translated to 10.2.0.100.

Try to ping from Client A to 10.1.0.10.

Packet capture on Client A

Packet capture on Client B

From the packet capture in Client B, you can see that the destination has been translated to 10.2.0.100.

Destination NAT

Configure the destination NAT with the following requirements:

  • When communicating from Client B to 10.2.0.10, the destination is translated to 10.1.0.100.

As a test configuration, NAT configuration is performed as shown in the image below.

  • Set the destination zone as Trust based on the source IP before translation.

Packet capture on Client A

From the packet capture on Client A, you can see that the destination has been translated to 10.1.0.100.

Packet capture on Client B

NAT operation check by test command

You can check the NAT operation by using the test command without actually generating communication.

The command is as follows.

  • > test nat-policy-match from <from-zone> to <to-zone> source <source-ip> destination <dest-ip> destination-port <dest-port> protocol <protocol-type>
    • <protocol-type>
      • 1: ICMP
      • 6: TCP
      • 17: UDP

Execution example

admin@PA-200> test nat-policy-match from Trust to Trust source 10.2.0.100 destination 10.2.0.10 destination-port 9999 protocol 6

Destination-NAT: Rule matched: NAT_01
10.2.0.10:9999 => 10.1.0.100:9999

NAT session confirmation command

You can check the source / destination IP information before / after translation of the current session by executing the show session all command.

admin@PA-200> show session all

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
5510         ping           ACTIVE  FLOW  ND   10.2.0.100[1]/Trust/1  (10.2.0.100[1])
vsys1                                          10.2.0.10[5425]/Untrust  (10.1.0.100[5425])
5508         ping           ACTIVE  FLOW  ND   10.2.0.100[1]/Trust/1  (10.2.0.100[1])
vsys1                                          10.2.0.10[5423]/Untrust  (10.1.0.100[5423])
5507         ping           ACTIVE  FLOW  ND   10.2.0.100[1]/Trust/1  (10.2.0.100[1])
vsys1                                          10.2.0.10[5422]/Untrust  (10.1.0.100[5422])
5509         ping           ACTIVE  FLOW  ND   10.2.0.100[1]/Trust/1  (10.2.0.100[1])
vsys1                                          10.2.0.10[5424]/Untrust  (10.1.0.100[5424])

References

NAT Policy Overview


Comments

Copied title and URL