This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Destination NAT vs Source NAT with Bi-directional?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination NAT vs Source NAT with Bi-directional?

Go to solution
OMatlock
L4 Transporter

‎05-04-2017 01:22 PM

Hi folks,

 

I am reading several articles about NAT types and bi-directional.

I have a test going, but confused about how my web server is translating its source address when replying.

 

I thought that I would have to create a bi-directional NAT rule to get the web server to change its IP back to public (after the D-NAT), but that's not the case.  It works with just a D-NAT rule. 

 

How is the source IP of the web server switching back to a public IP on reply?

 

This is my goal and current configuration.

visio.jpg

 

Rules:

NATRules.jpg

 

Securityrules.jpg

 

Client (behind a NAT) on the internet.  I can see the source must have changed back to the public IP.

I can see when it leaves the Web Server it is still the private IP as source, but must change to public at some point.

web.jpg

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
pulukas
L7 Applicator

‎05-07-2017 04:53 AM

  • I thought that I would have to create a bi-directional NAT rule to get the web server to change its IP back to public (after the D-NAT), but that's not the case.  It works with just a D-NAT rule. 

 

If I understand the question correctly, you see that the inbound flow has the destination nat change but you don't understand why the private address of the server reply packet is also converted back to the original public address.

 

The reason for this behavior is that stateful firewalls in general, like the PA maintain a session table that knows about both directions of the flow based on the unique total combination both ip addresses and both source and destination ports and protocol. 

 

So when that reply packet from the web server comes back to the firewall it matches the session and the firewall knows it must reverse the NAT it originally performed on the same flow.

 

This is not unique to Palo Alto but standard firewall NAT behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

(1)
8 REPLIES 8

Go to solution
ChrisRussell
L2 Linker

‎05-04-2017 01:46 PM

Everything you send out the firewall will get sourced as a public/external IP address. So based on its route out, it will take on that external/unstrusted interface IP. Firewall's will do that with all outbound traffic unless told otherwise. 

****************************************************
ACE 7.0, PCNSE7
0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to ChrisRussell

‎05-04-2017 02:10 PM

If you have single public IP then you don't need bi-nat rule as everything sourcing from inside will be SNAT'ed to this single IP anyway.

If you have range of IP's and you need specific servers to go out from specific IPs then you either create 2 NAT policies (SNAT and DNAT) but it is easier to do single bi-nat rule. 

Example is email servers where you want outgoing email go out from same IP it comes in to because then reverse DNS matches and spam filters are more happy accepting emails from you.

 

Actually bi-nat rule creates 2 rules one for SNAT and other for DNAT but you don't see this in GUI (only in CLI).

bi-nat rule will double your NAT rule count and both (visible and hidden) NAT policy count againt firewall max NAT count (might be important in case of smaller boxes).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to Raido_Rattameister

‎05-05-2017 08:19 AM

Thanks for responding!

 

Yea, I can understand if you are using the one public IP, but I am using a different one than the one for my general internet connection.  I do have a range, but using two of them in my example.  One for general internet usage and the other for my web server.  That's why I am confused.  It's successfully changing its source IP when leaving the firewall, but without the need for a bi-directional S-NAT rule.

 

Still researching...

0 Likes Likes

Go to solution
bmorris1
L4 Transporter
In response to OMatlock

‎05-05-2017 08:27 AM

Hi,

 

Do you mind showing your 'internet' address object's subnet mask? I suspect you've added this in as a network and therefore the firewall has a pool of IPs to use for source NAT.

 

Ben

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to bmorris1

‎05-05-2017 01:52 PM

Yes, I did configure my internet address with a subnet bit mask.

Does that explain how it knows to change the source IP back?

 

internetaddress.jpg

0 Likes Likes

Go to solution
pulukas
L7 Applicator

‎05-07-2017 04:53 AM

  • I thought that I would have to create a bi-directional NAT rule to get the web server to change its IP back to public (after the D-NAT), but that's not the case.  It works with just a D-NAT rule. 

 

If I understand the question correctly, you see that the inbound flow has the destination nat change but you don't understand why the private address of the server reply packet is also converted back to the original public address.

 

The reason for this behavior is that stateful firewalls in general, like the PA maintain a session table that knows about both directions of the flow based on the unique total combination both ip addresses and both source and destination ports and protocol. 

 

So when that reply packet from the web server comes back to the firewall it matches the session and the firewall knows it must reverse the NAT it originally performed on the same flow.

 

This is not unique to Palo Alto but standard firewall NAT behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
(1)

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to pulukas

‎05-08-2017 01:24 AM

@pulukas is on the money i think

 

you don't need to create a policy in both directions of a flow: the firewall maintains a state table of all active sessions with their c2s and s2c (client to server and server to client) flows. This includes any NAT actions taken on the outbound flow so it can be automatically applied to the inbound flow (this is indeed pretty common among modern firewalls)

 

A bi-directional NAT rule enables traffic to be initiated in both directions so a server can receive sessions from the internet on it's public IP and outbound (new) connections will also use the public IP (think smtp relay server receiving an email and then relaying it out to the exchange server)

 

 

 

I tried to list all NAT combo's here:

Getting Started: Network Address Translation (NAT)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
OMatlock
L4 Transporter
In response to reaper

‎05-08-2017 08:39 AM

Thank you folks!

 

I will be getting my first real training starting next week.  PA-201 class.

So I will try to get my understanding clear about bi-directional NAT.

0 Likes Likes
  • 1 accepted solution
  • 10571 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks