Understanding PAN-OS NAT

by jpa on ‎06-15-2010 10:29 AM - edited on ‎02-01-2016 02:25 PM by lmelvin (62,959 Views)

The purpose of this application note is to explain Palo Alto Networks PAN-OS NAT architecture, and to provide several common configuration examples. This paper assumes that the reader is familiar with NAT and how it is used in both service provider and enterprise networks.

 

For information on configuring NAT on PAN-OS 6.0 and later, refer to the PAN-OS Administrator's Guide.

Comments
by Dulle
on ‎11-12-2012 10:43 PM

Could someone please help clarify one confusing detail.
On the "Life of a Packet" flow chart on page 4; when would the flow from [Translate destination address] to [Source NAT match?] occur ? Will the flow not always go to [Route lookup] ?

-=Tommy=-

by jpa
on ‎11-15-2012 08:13 AM

Hello Tommy

This happens when you are translating both source and destination IP addresses. This is case with overlapping addressing. Please see page 24 in the tech note for scenario.

Thank you

Jerish

by ftboomer1
on ‎04-05-2013 01:07 PM

Can we get this updated for 5.0.xx??  The screenshots are a bit out of date.

by bigiron
on ‎11-06-2013 03:33 PM

Same request here... please update to PAN-OS 5.0. Thanks.

by bmodi
on ‎01-18-2014 05:33 PM

What is the difference between Destination NAT (One-to-one mapping) and Static NAT: Bi-directional NAT? 

by pulukas
on ‎01-19-2014 09:08 AM

bmodi,

Static nat will occur both when the server is initiating an outbound connection and when the server is receiving an inbound connection.

Destination nat only applies to inbound connections to the server and does NOT affect server initiated outbound traffic.  The replies to the inbound request match that inbound session and work.  But connections that are started by the server outbound will not have the address nat occur.

by LCMember1607
on ‎01-22-2014 09:59 AM

It would be nice to see a Destination NAT example over an IPSec Tunnel? I've tried all of the docs I have been able to search on but nothing works....

by Michael_Martin
on ‎11-24-2015 05:38 PM

Is the life of a packet referenced in this document still valid, or is there an updated version of this?

by Jake_Vargas
on ‎11-28-2017 04:09 PM

updated version please?


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors