topic Re: TYPICAL NAT QUESTIONS in General Topics

TYPICAL NAT QUESTIONS

calabilla — Tue, 22 Oct 2024 12:34:05 GMT

Hello,

I have a web server in DMZ with private ip address 192.168.10.100/24 and I would like all the traffic from outside should come to this server. My public ip is 1.1.1.2/255.255.255.248 which will bind to 192.168.10.100

To perfom this I can create a destination rule

FROM TO Source Destination Destination Translation Address (Static)
Untrust--> Untrust--> Any--> 1.1.1.2 192.168.10.100

The above rule will work correctly. My question is if i create Rules below what will happen

FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2

BI DIRECTIONAL checked

FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2

BI DIRECTIONAL checked

Will the above rule work and if it works is it a correct way to do this ?

Re: TYPICAL NAT QUESTIONS

SutareMayur — Wed, 23 Oct 2024 14:40:25 GMT

Hi @calabilla

Bi-Directional static NAT option can be used when creating the Source NAT policy only. With bi-directional static NAT option checked, firewall will perform both Source NAT as well as Destination NAT translations.

With this option. when traffic is coming from your inside/DMZ server going towards internet, source IP will get NAT with given public IP. At the same time, if traffic is hitting public IP from internet ( from untrust zone ), then destination IP will be NAT with the given inside/DMZ IP.

In your examples, below example looks appropriate configuration of Source NAT with bi-directional checked.

FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2

BI DIRECTIONAL checked

In below case, you have marked private IP as a part of Untrust zone. Ideally, untrust zone should be the public IP from where internet traffic will come.

FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2

BI DIRECTIONAL checked

Bi-directional NAT configuration has very specific use cases where it is must to enable it. I have seen most of it's use cases in Audio/Video traffic flows.

Palo Alto KB article on Bi-Directional Static NAT

Hope it helps!

If you still have any queries, feel free to ask.

Re: TYPICAL NAT QUESTIONS

calabilla — Thu, 24 Oct 2024 11:55:33 GMT

The rule is this way

CHECK THE BELOW AND LET ME KNOW WILL IT WORK

SourceZone Destination Zone Source Destination Translation Address (Static)
Untrust DMZ Any 192.168.10.100 1.1.1.2

BI DIRECTIONAL checked

Re: TYPICAL NAT QUESTIONS

SutareMayur — Thu, 24 Oct 2024 11:55:51 GMT

Hi @calabilla

As I mentioned earlier, Bi-Directional static NAT applies to only Source NAT translations. Here in your examples, you are doing destination NAT.

Ideally your Bi-Directional Static NAT should look like this.

Here, consider WAN zone as Untrust.

Re: TYPICAL NAT QUESTIONS

calabilla — Thu, 24 Oct 2024 16:16:42 GMT

I never knew that Bidirectional NATworks with only Source NAT.

what will happen if i remove bidirectional check mark ? how would the NAT WORK in this scenario.

Re: TYPICAL NAT QUESTIONS

SutareMayur — Fri, 25 Oct 2024 07:33:09 GMT

If you remove Bi-Directional check from Source NAT policy, then that policy will do specified Source NAT policy only.