https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284909#M76364 <P>HI,</P><P>when do we use the destination nat ,source nat and&nbsp; identity nat&nbsp;</P><P>I mean what is the use cases for the above&nbsp;</P><P>Thanks</P> Sat, 24 Aug 2019 18:44:31 GMT simsim 2019-08-24T18:44:31Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284909#M76364 <P>HI,</P><P>when do we use the destination nat ,source nat and&nbsp; identity nat&nbsp;</P><P>I mean what is the use cases for the above&nbsp;</P><P>Thanks</P> Sat, 24 Aug 2019 18:44:31 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284909#M76364 simsim 2019-08-24T18:44:31Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284926#M76370 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a>&nbsp;</P><P><STRONG>Source NAT:</STRONG></P><P>Source NAT changes the&nbsp;<STRONG>source</STRONG> address in the IP header of a packet. Typical use would be making a NAT statement for your internal addressing to a Public IP address. For example, if you leave my network as source IP 192.168.88.1, I'd want you to be NAT to 1.1.1.1 on a dynamic port.&nbsp;</P><P><STRONG>Destination NAT:</STRONG></P><P>Destination NAT changes the&nbsp;<STRONG>destination</STRONG> address in the IP header of a packet. Typical use case could be would be exposing a service such as Exchange to the public via your Public IP. For example, if you hit&nbsp;<EM>mail.mycompany.com:25</EM> I'd want a destination NAT statement to ensure that the destination address in the IP header was translated to the internal address to hit my mail server.&nbsp;</P><P><STRONG>Identity NAT:</STRONG></P><P>Translates the real IP address to the same IP address in the IP header of the packet. To the best of my knowledg,e you will only ever hear about identity NAT on an ASA. Essentially the way that Cisco configured their NAT Exception policies caused a necessity for Identity NAT to be created. There are technically three, at least, types of Identity NAT; I'm not going to get into them because this isn't an ASA forum.&nbsp;</P><P>&nbsp;</P><P>Things get more complicated because there are a lot of different ways to configure NAT statements, and any one way isn't really more correct than the next. For example; while many people would expose mail services through a destination NAT, with enough Public IPs you can also simply make a Source NAT to a static-ip and enable bi-directional traffic. There's also u-turn NAT statements and so on.&nbsp;</P> Sun, 25 Aug 2019 03:37:03 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284926#M76370 BPry 2019-08-25T03:37:03Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284930#M76372 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a>&nbsp;</P><P>&nbsp;</P><P>If you need the firewall to translate the source IP address in a packet you will use Source NAT. A good example for this is users in trust zone that have private IP addresses need to be translated to the external IP address the firewall has on the untrust zone (ISP). So the firewall translates the IP address when forwarding the packet to the untrust zone.</P><P>&nbsp;</P><P>If you need the firewall to translate the destination IP address ip a packet you will use Destination NAT. A good example of this is a web server in DMZ that has a private IP address and you need internet users to access it. So from the internet side it is accessible via the real-world IP address and the firewall translates it to a private IP address when forwarding the packet to DMZ zone.</P><P>&nbsp;</P><P>In some cases you can also use both of them in the same NAT rule.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Aug 2019 07:30:59 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/284930#M76372 ShaiW 2019-08-25T07:30:59Z