NAT - Tips and Gotchas?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT - Tips and Gotchas?

L3 Networker

PAN-200

PAN OS 6.0.0.

I've been directed to implement NAT on our PAN-200.  Given that this will disrupt current traffic, I've scheduled tomorrow night to make it happen.

I'm reading 'PAN-OS Administrator's Guide Version 6.0' - it seems reasonably straightforward.

I'm about to dive into 'Understanding NAT-4.1-RevC'.

Are there any gotchas, problems, boners, things to look out for, issues, or headaches I should be aware of before I pull the trigger?

5 REPLIES 5

L5 Sessionator

Hi bdunbar ,

Outbound nat is straight forward, from trust to untrust nat to this address. Or this specific source gets natted to this destination address.

Inbound nat is however tricky. ie. if you have a host that is reachable from outside on address 1.1.1.1 and private address of 192.168.1.1, your nat will look like following :

From Untrust to Untrust any source to destination 1.1.1.1 translate to 192.168.1.1

Security policy :

From Untrust to Trust from any source to destination 1.1.1.1 allow

You are already reading Understanding NAT-4.1-RevC, this should give you more insight into its working. Hope this helps. Thank you.

L7 Applicator

Just an heads-up, if you have any internal server to access from LAN: How to Configure U-Turn NAT

Thanks

L7 Applicator

As ssharma mentioned, Destination NAT configuration can be tricky.

Here's a video tutorial that guides you through its configuration.

Video Link : 1550

Bi-Directional rules are not one of my favorite features, it attempts to simplify configuration and by doing so obscures sections of the configuration. If you choose to use Bi-Directional NAT rules, make sure to review the rules that have been implicitly created with command:

> show running nat-policy

Source NAT is pretty straightforward. One gotcha is that if you're trying to ping (or terminate any connection on one of the firewall's own interfaces), your source IP may be changed with the NAT policy, resulting in a LAND attack, thus having packets dropped. Make sure to configure No-NAT rules for connections that are intended to terminate in the firewall's own interfaces.

L3 Networker

I also like to keep things simple. Let a NAT rule be a NAT rule and let the security rule handle hte security. That is I try not to use ports in my NAT rules, especially since I write my security rules using application and not specific ports.

You can keep it simple as you like if you have enough nat address space that you don't need to share addresses to the multiple servers.  We just don't always have that luxury.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2925 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!