https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35998#M26456 <HTML><HEAD></HEAD><BODY><P>Hi EDSAdmin,</P><P></P><P>SNAT or DNAT both can be used, all depends on purpose.</P><P></P><P>Lets say you have FTP,HTTP and SSL servers but only one public IP addresses. And you are interested only in inbound access[Internet users should access server]. Than go for DNAT.</P><P></P><P>If you have 3 public IP addresses and you are also looking for outbound server access with same public IP than go for DNAT.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 30 Sep 2014 18:34:36 GMT hshah 2014-09-30T18:34:36Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35996#M26454 <HTML><HEAD></HEAD><BODY><P>On our firewall we have some inbound web servers with static NAT policies using SNAT and others inbound web servers/services with DNAT policies.&nbsp; I am trying to figure out which one i should be using.&nbsp; For example the company we hired to implement our firewalls and setup policies use the SNAT way for every Static NAT policy. When I called into support for an issue one time, they stated that i should be using DNAT and not SNAT. </P></BODY></HTML> Tue, 30 Sep 2014 18:21:46 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35996#M26454 EDSAadmin 2014-09-30T18:21:46Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35997#M26455 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>you should use DNAT for inbound access or</P><P>You may use SNAT(static) for internal server with bidirectional yes option (if your each internal server has a specific public ip on WAN)</P></BODY></HTML> Tue, 30 Sep 2014 18:27:43 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35997#M26455 Retired Member 2014-09-30T18:27:43Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35998#M26456 <HTML><HEAD></HEAD><BODY><P>Hi EDSAdmin,</P><P></P><P>SNAT or DNAT both can be used, all depends on purpose.</P><P></P><P>Lets say you have FTP,HTTP and SSL servers but only one public IP addresses. And you are interested only in inbound access[Internet users should access server]. Than go for DNAT.</P><P></P><P>If you have 3 public IP addresses and you are also looking for outbound server access with same public IP than go for DNAT.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 30 Sep 2014 18:34:36 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35998#M26456 hshah 2014-09-30T18:34:36Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35999#M26457 <HTML><HEAD></HEAD><BODY><P>Hi EDSAdmin,</P><P></P><P>You are trying to change the destination address for traffic coming in to your network. ie. if someone tries to access 1.2.3.4 (public ip that you host) nat to internal ip 192.168.1.1. You are not changing the source IP portion of it. So you will configure DNAT. Hope that helps. Thank you.</P></BODY></HTML> Tue, 30 Sep 2014 18:36:26 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/35999#M26457 ssharma 2014-09-30T18:36:26Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36000#M26458 <HTML><HEAD></HEAD><BODY><P>Each inbound server has its own unique external static IP.&nbsp; Currently they are all set to be bi directional as well.&nbsp; I haven't had a problem with the SNAT way was just trying to get a better understanding since that time i called into support and the engineer kept telling me why are you using SNAT, you should be using DNAT.</P><P></P><P>We have Exchange server, web servers, that are all set with static external IP's. </P></BODY></HTML> Tue, 30 Sep 2014 19:18:44 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36000#M26458 EDSAadmin 2014-09-30T19:18:44Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36001#M26459 <HTML><HEAD></HEAD><BODY><P>Hi EDSAdmin,</P><P></P><P>Its just a matter of implementation and choice. IF you have spare public IPs than always go with SNAT.</P><P></P><P>But if there is a crunch of IPs than go with DNAT. </P><P></P><P>This is te main tie breaker for the implementation. There are number of other differences as well.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 30 Sep 2014 19:20:45 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36001#M26459 hshah 2014-09-30T19:20:45Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36002#M26460 <HTML><HEAD></HEAD><BODY><P>SNAT with bidirectional option is OK then.You may use for all servers.</P></BODY></HTML> Tue, 30 Sep 2014 19:22:25 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36002#M26460 Retired Member 2014-09-30T19:22:25Z https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36003#M26461 <HTML><HEAD></HEAD><BODY><P>Excellent. Thanks for the clarification.&nbsp; </P></BODY></HTML> Tue, 30 Sep 2014 19:38:13 GMT https://live.paloaltonetworks.com/t5/general-topics/snat-vs-dnat/m-p/36003#M26461 EDSAadmin 2014-09-30T19:38:13Z