Source NAT Translation Types and Typical Use Cases

by jteetsel on ‎04-03-2013 11:55 AM (60,978 Views)

Overview

Following are available source address translation types and the typical use case for each.

Dynamic IP and Port

For a given source IP address, the Palo Alto Networks firewall translates the source IP address or range to a single IP address. The mapping is based on source port, so multiple source IPs can share a single translated address until the source ports have been exhausted. This is typical when only having a single public IP address to be shared among many private IP addresses. It is common to choose the IP address assigned to the interface connecting to your ISP:

To add more IP addresses to the outbound pool, change the address type to "Translated Address" and add a valid public IP to the list. The firewall will load balance from the address pool based on each session.

Use the following CLI command to check the NAT pool utilization: > show running global-ippool

Dynamic IP

For a given source IP address, the firewall translates the source IP to an IP in the defined pool or range. The mapping is not port based, which makes this a one-to-one mapping as long as the session lasts. Each concurrent session uses an address from the pool, making it unavailable to other source IPs. Be aware when using this option, because the translated pool of addresses can be exhausted if the number of internal hosts concurrently creating outbound sessions exceeds the number of IP addresses in the dynamic pool. This option is used when there are two or more public IPs from the ISP, but not enough to allocate one to each internal host on the network, and you want to assign them to outbound hosts only as needed. It is common to assign a range of IP addresses to the dynamic pool:

To view the current NAT pool mappings for a given NAT policy, run the following CLI command:

> show running nat-rule-ippool rule <NAT rule name>


Static IP

Use this translation type to translate a single source address to a specific public address. This is typically used to expose a server (email, web or any application) externally using a translated address that will not change.

Selecting "Yes" for Bi-directional creates mapping in both directions based on the source\destination zones that are specified. If Bi-directional is set to No, then the mapping is created based only on the direction of the source\destination zones. Static NAT policies for publicly exposed servers usually have Bi-directional set to Yes, so the outbound traffic for the server uses the same address as inbound traffic:

Use the Static IP mapping type to translate an entire address range to a specific address range, a one-to-one mapping. The number of source IPs using this policy must exactly match the translated range. This is typically used to resolve overlapping IP ranges when merging networks. The policy shown here translates all source addresses with at 10.20.1.x address destined to the Corp Zone to a matching address in the 10.30.1.x range:

owner: jteetsel

Comments
by pichec
on ‎07-10-2013 07:10 PM

Hi,

I don't know if it's the correct place to ask it or not but I've got one question to clarify things about Dynamic IP And Port when there are several IP addresses assigned. In your example, are people NATed 50% of the time behind 4.2.2.2 and 50% behind 4.2.2.3 (kind of load balancing situation) or do we use 4.2.2.3 only if 4.2.2.2 is fully used (65535 simultaneous connections)?

Thanks!

by jteetsel
on ‎07-12-2013 05:55 PM

Hi Pichec, the PAN will load balance between the public address in the pool per session. You should see about 50/50

by ptri
on ‎05-06-2014 06:05 PM

Hi.

I have a telepresence device that moves around from private vlan to private vlan.  i.e. If connected to vlan 214 it has 10.32.14.18 and if connected to vlan 211 it has 10.32.11.48 through dhcp reservations.  Is it possible to create a nat for this machine that will use the same external, public IP?  My guess is NO?

by NiteshS
on ‎09-11-2014 03:04 AM

Hi,

I have a question on the Static NAT. If i have enabled, bidirectional - Yes.

If the traffic is generated/originated/initiated from outside to inside, will this rule become active to allow the traffic from outside to come inside or not? As this is a static NAT the traffic should be allowed to come with its corresponding security policies on the post nat ip address allowing the traffic to come inside.

If you can help me out to solve this query...

by Westcon2
on ‎09-11-2014 03:09 AM

Hi,

For this rule to become active you need to initiate some traffic from inside to outside so that there is one more nat entry automatically created to hit the same rule.

To check the second automatic nat entry, You can use the command show running Nat-policy

Regards

Aamir Khan

by regioiT
on ‎10-28-2014 07:03 AM

Hi,

I've got a "short" question, cause bi-directional static ip translation doesn't work.

Why does the PA do the static bi-directional NAT translation in this way/so "complicated"?

Why is the automatically created destination NAT entry created in the way it is (source zone any, even if a destination zone in the source nat entry was specified)?

And why is the destination zone in the automatically created destination NAT entry is set to the destination zone of the originally source nat entry? I don't understand why, because it seems to be more smart, to revert the source nat entry in complete.

# Configured with GUI of PA:

nat {

              rules {

               Test2 {

                  source-translation {

                    static-ip {

                      bi-directional yes;

                      translated-address 10.170.201.153;

                    }

                  }

                  to loc2;

                  from loc1;

                  source 10.170.200.153;

                  destination any;

                  service any;

                  nat-type ipv4;

# Source Nat Entry like configured in GUI

Test2 {

        from loc1;

        source 10.170.200.153;

        to loc2;

        to-interface  ;

        destination any;

        service  any/any/any;

        translate-to "src: 10.170.201.153 (static-ip) (pool idx: 4)";

        terminal no;

}

# automatically created Destination NAT entry

Test2 {

        from any;

        source any;

        to loc2;

        to-interface  ;

        destination 10.170.201.153;

        service  any/any/any;

        translate-to "dst: 10.170.200.153";

        terminal no;

}

My approach:

# Source Nat Entry like configured in GUI                                        # automatically created Destination NAT entry (how it should be)

Test2 {                                                                                          Test2 {

        from loc1;                                                                                from loc2;

        source 10.170.200.153;                                                            source any;

        to loc2;                                                                                    to loc1;

        to-interface  ;                                                                            to interface   ;

        destination any;                                                                        destination 10.170.201.153;

        service  any/any/any;                                                                service  any/any/any;

        translate-to "src: 10.170.201.153 (static-ip) (pool idx: 4)";             translate-to "dst: 10.170.200.153 (static-ip) (pool idx: 4)";

        terminal no;                                                                              terminal no;

}                                                                                                      }

My problem with the original PA configuration is, that it doesn't work.

source nat loc1 to loc2 (and way back in same session) works:

sw05000648-VSS-nemesis#sh ip access-lists NAT-Test

Extended IP access list NAT-Test

    1 permit ip host 10.106.155.111 host 10.170.201.153

    2 permit ip host 10.106.155.111 host 10.170.200.153 (20 matches)

but: destination nat loc2 to loc1 didnt't, adress wasn't translated, it comes with the original destination ip

sw05000648-VSS-nemesis#sh ip access-lists NAT-Test

Extended IP access list NAT-Test

    1 permit ip host 10.106.155.111 host 10.170.201.153 (8 matches)

    2 permit ip host 10.106.155.111 host 10.170.200.153

We need static NAT entries in both ways configured. Actually they would be more complicated because we have to port hundreds of route-map/ACL based NAT entries from a cisco router to the PA (5050).

And there a special cases, like only to nat from a source zone/network to a specified network in another zone, but not to other networks in the specified destination zone. And of course backwards it should be the same.

The NATting is used to prevent problems with overlapping ip ranges on different locations in our network.

So sorry, it wasn't as short as expected...

I am looking forward to your answers.


Thanks a lot


Robert


PS:

Do i have to route the NATed source ip? because in backward destination nat i don't get any matches in my acl, until i configure a static route for the natted source ip to the source zone (like backward destination ip to the destination zone). The following pdf shows the PA check route lookup at first and then apply the NAT rule. But could this be real for destination NAT? cause i have to route the "wrong" (NAT IPs) back to the source zone.

https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-7-11647/Understanding_NAT...



PS 2. For illustration of our problem:


One NAT Rule (bi-directional box checked) as shown above.

WORKS:

Source                                PA                               Destination

10.170.200.153 --> (source NAT 10.170.201.153) --> 10.106.155.111

Works NOT:

Source                                PA                                    Destination

10.106.155.111 --> (destination NAT 10.170.201.153) --> 10.170.200.153

by jteetsel
on ‎10-28-2014 09:54 AM

Hi Robert, bi-directional static ip translation does work, in fact a static nat policy is really the only logical way to use the bi-directional option.

If you were to create the source and d-nat rules separately they would look like this:

Source NAT:

source zone = inside

Destination zone = outside

source IP = internal IP

Translated IP = public IP

Destination NAT:

source zone = outside

Destination zone = outside

Destination IP = public IP

Translated IP = internal IP

Note that the source and destination zones are the same in the d-nat policy. The destination zone is outside because the packet has a destination address of the public address which is applicable only to the outside zone, when the NAT policy evaluation is performed, the destination zone does not become inside until AFTER the NAT policy is applied

If you where to use Bi-Directional option you would only create the top "Source NAT" policy and check the Bi-Directional box. It would then create the same reverse rule that looks just like the "Destination NAT" rule but set the source zone to any.  I would not expect your "Works NOT" example to function.

Question:

Why is the automatically created destination NAT entry created in the way it is (source zone any, even if a destination zone in the source nat entry was specified)?

Answer:

The behavior you see with Static NAT and bi-directional option is the correct. The reverse policy will have the source as any.

The use case for static NAT, not specific to PAN-OS  ( for all FW vendors) was to provide access to servers on the DMZ from internet. Static NAT would also automatically translate the source IP  of the connections initiated from the server to the any destination on the internet. There are deployments where there are multiple connections to the internet ( multiple physical interfaces) ,and traffic could arrive on any one of these interface to the the servers connected in the DMZ. In such cases, most of the firewall vendors will have to create multiple static NAT rules to accommodate traffic arriving to the server from different interfaces.

With out NAT implementation, if you choose the bi-directional option we create automatically create NAT rule with source zone and source address as ANY. This eliminates the necessity to create multiple NAT rules when you have a network where connections can originate from 2 or more interfaces to a server.  (for example Netscreen devices use Global zone to address this design)

You can still control access to the server by creating a restrictive security policy.

If you having problems getting this to work give us a call and we can help.

Thanks

John

by regioiT
on ‎10-30-2014 03:23 AM

Thanks John for teh fast response.

Neither the manually created bi-directional NAT Rule nor the automatically created bi-directional NAT Rule works.

Perhaps i really took the wrong way...

I dont't get a successfull connection from kunden_gt to regioit_gt_ac.

My station is 10.106.155.111 (zone kunden_gt) and i try to reach 10.170.201.153, which should actually be NATted to 10.170.200.153 (zone regioit_gt_ac).

Source NAT is working properly, and i can reach my station from ip 10.170.200.153 (which is translated into 10.170.201.153).

Destination NAT is not working properly, and i can't reach destination. Traceroute stops at the firewall (last ssen hop is the router before).

When i configure a static route for the NATted ip in the destination zone, the traceroute stops at the router after the firewall but the destination ip is the original (not translated) destination ip.

sw05000648-VSS-nemesis#sh ip access-lists NAT-Test

Extended IP access list NAT-Test

    1 permit ip host 10.106.155.111 host 10.170.201.153 (8 matches)

    2 permit ip host 10.106.155.111 host 10.170.200.153

    10 permit ip host 10.106.155.111 any

    20 permit ip host 10.170.201.152 any

    30 permit ip any any

Any idea?

I'll have a talk with my co-workers about this, but at this time i'm stumped.

Thanks a lot

Regards

Robert

by dpflick
on ‎07-09-2015 05:09 AM

How can I nat to a pool of addresses?  A few are reserved out of the subnet 10.34.125.0/26 so I can only use 10.34.125.3 thru 10.34.125.62.  Is there a "range" command available so I don't have to add the individual addresses to a address group?

by Fortesys
on ‎08-16-2015 08:43 AM

Hi,

How do i NAT based on AD group?
Lets say:

Office\Maintenance    to   58.xx.xx.30

Office\HR               to 58.xx.xx.31

Kindly assist.

Thanks.

by pulukas
on ‎01-09-2016 04:45 AM

Unfortunately, you cannot use AD group or any of the user based parameters as part of a NAT rule.  These are only availble in the security rules.

by Thamizh_S
on ‎04-23-2017 06:40 AM

Hi Guys,

 

I need to do the NAT in the below scenario, Let me know would that be possible?

 

A single machine is in XXX Zone and it needs to access all the machines in YYY Zone, we need to do the source NAT here. Machine in XXX zone has to be translated to a NAT IP whenever it is accessing the machines in YYY zone. The twist here is, The NAT IP resides in ZZZ zone in the firewall. Would it be possible to do a NAT in this scenario, as the NAT IP is bound to the ZZZ zone.

 

We receive normal request as to do the Source NAT for the machines in ZZZ zone whenever it is accessing the machines in YYY zone, That would be of no Isssue as the NAT IP is in the ZZZ zone.

 

Any suggestions would be helpful.

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community