- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-12-2015 02:50 AM
Source and Destination NAT in the same packet
Hi All,
I am required to configure source NAT and destination NAT for the same packet in a scenario.
packets are flowing through the firewall from inside zone to outside zone.
As per palo alto documentation i see for source NAT my zones for NAT rule:
Source Zone : Inside
Destination zone :Outside
As per palo alto documentation i see for destination NAT my zones for NAT rule:
Source Zone : Inside
Destination zone :inside
Now my question is what will my source and destination zone be if i have done source NAT and destination NAT in the same rule ?
regards,
ARJUN DAS
01-12-2015 03:22 AM
You should create the rule in the direction you expect tcp to initiate the connection. The initiator system is the source zone and the destination system is the destination zone.
You can see an example in the Understanding PA nat guide on page 24.
01-12-2015 02:56 AM
It's probably Source Zone: Inside and Destination Zone: Outside but I don't have enough information if this is needed for this configuration.
Which address do you want to use for DNAT? Is it one of you public IPs and in which zone is the address you want to DNAT?
01-12-2015 03:16 AM
lets say original source is 10.0.0.1/24 and destination is 194.0.0.1.
source is to be translated to 4.0.0.1 (One of PA's public ip address, outside zone) and destination is to be translated to 200.0.0.1 (Actual Destination servers IP in inetrnet)
194.0.0.1 is in Outside zone.
200.0.0.1 is in outside Zone.
01-12-2015 03:22 AM
You should create the rule in the direction you expect tcp to initiate the connection. The initiator system is the source zone and the destination system is the destination zone.
You can see an example in the Understanding PA nat guide on page 24.
01-12-2015 06:40 AM
For your example it should be like this:
Original Packet:
Source Zone: Internal
Destination Zone: Outside Zone
Destination IP: 194.0.0.1
Translation:
Source:
Dynamic IP and Port
Interface: External Interface with 4.0.0.1
Destination:
200.0.0.1
Security Policy:
Source Zone: Internal
Destination Zone: Outside Zone
Destination IP: 194.0.0.1
01-12-2015 12:49 PM
Hi Arjun,
If the traffic is going from your internal zone to external (ex: internet) and you're natting both, your source zone will continue to be the internal zone.
For the destination zone, the firewall looks at the post NAT address and evaluates the interface where the packet should ultimately exit (by PBF or routing table).
Whatever zone this interface is in will be your destination zone.
01-15-2015 01:24 AM
How can NAT destination zone be based on Post NAT address as NAT policies only are applicable to Pre NAT destination address ?
01-15-2015 05:39 PM
The zone match for the nat rule is based on the original destination address. But if that nat rule does a destination nat then the security policy rule that is needed to permit the traffic will be based on the destination nat address and not the original address zone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!