topic Re: Source and Destination NAT in the same packet in General Topics

Source and Destination NAT in the same packet

ArjunDAS — Mon, 12 Jan 2015 10:50:21 GMT

Source and Destination NAT in the same packet

Hi All,

I am required to configure source NAT and destination NAT for the same packet in a scenario.

packets are flowing through the firewall from inside zone to outside zone.

As per palo alto documentation i see for source NAT my zones for NAT rule:

Source Zone : Inside

Destination zone :Outside

As per palo alto documentation i see for destination NAT my zones for NAT rule:

Source Zone : Inside

Destination zone :inside

Now my question is what will my source and destination zone be if i have done source NAT and destination NAT in the same rule ?

regards,

ARJUN DAS

Re: Source and Destination NAT in the same packet

Wenar — Mon, 12 Jan 2015 10:56:08 GMT

It's probably Source Zone: Inside and Destination Zone: Outside but I don't have enough information if this is needed for this configuration.

Which address do you want to use for DNAT? Is it one of you public IPs and in which zone is the address you want to DNAT?

Re: Source and Destination NAT in the same packet

ArjunDAS — Mon, 12 Jan 2015 11:16:21 GMT

lets say original source is 10.0.0.1/24 and destination is 194.0.0.1.

source is to be translated to 4.0.0.1 (One of PA's public ip address, outside zone) and destination is to be translated to 200.0.0.1 (Actual Destination servers IP in inetrnet)

194.0.0.1 is in Outside zone.

200.0.0.1 is in outside Zone.

Re: Source and Destination NAT in the same packet

pulukas — Mon, 12 Jan 2015 11:22:28 GMT

You should create the rule in the direction you expect tcp to initiate the connection. The initiator system is the source zone and the destination system is the destination zone.

You can see an example in the Understanding PA nat guide on page 24.

Understanding PAN-OS NAT

Re: Source and Destination NAT in the same packet

Wenar — Mon, 12 Jan 2015 14:40:50 GMT

For your example it should be like this:

Original Packet:

Source Zone: Internal

Destination Zone: Outside Zone

Destination IP: 194.0.0.1

Translation:

Source:

Dynamic IP and Port

Interface: External Interface with 4.0.0.1

Destination:

200.0.0.1

Security Policy:

Source Zone: Internal

Destination Zone: Outside Zone

Destination IP: 194.0.0.1

Re: Source and Destination NAT in the same packet

rborda — Mon, 12 Jan 2015 20:49:02 GMT

Hi Arjun,

If the traffic is going from your internal zone to external (ex: internet) and you're natting both, your source zone will continue to be the internal zone.

For the destination zone, the firewall looks at the post NAT address and evaluates the interface where the packet should ultimately exit (by PBF or routing table).

Whatever zone this interface is in will be your destination zone.

Re: Source and Destination NAT in the same packet

ArjunDAS — Thu, 15 Jan 2015 09:24:10 GMT

How can NAT destination zone be based on Post NAT address as NAT policies only are applicable to Pre NAT destination address ?

Re: Source and Destination NAT in the same packet

pulukas — Fri, 16 Jan 2015 01:39:49 GMT

The zone match for the nat rule is based on the original destination address. But if that nat rule does a destination nat then the security policy rule that is needed to permit the traffic will be based on the destination nat address and not the original address zone.

Packet Flow in PAN-OS