Source and Destination NAT in the same packet

Reply
Highlighted
Not applicable

Source and Destination NAT in the same packet

Source and Destination NAT in the same packet

Hi All,

I am required to configure source NAT and destination NAT for the same packet in a scenario.

packets are flowing through the firewall from inside zone to outside zone.

As per palo alto documentation i see for source NAT my zones for NAT rule:

Source Zone : Inside

Destination zone :Outside

As per palo alto documentation i see for destination NAT my zones for NAT rule:

Source Zone : Inside

Destination zone :inside

Now my question is what will my source and destination zone be if i have done source NAT and destination NAT  in the same rule ?

regards,

ARJUN DAS


Accepted Solutions
Highlighted
L7 Applicator

You should create the rule in the direction you expect tcp to initiate the connection.  The initiator system is the source zone and the destination system is the destination zone.

You can see an example in the Understanding PA nat guide on page 24.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post


All Replies
Highlighted
L3 Networker

It's probably Source Zone: Inside and Destination Zone: Outside but I don't have enough information if this is needed for this configuration.

Which address do you want to use for DNAT? Is it one of you public IPs and in which zone is the address you want to DNAT?

Highlighted
Not applicable

lets say original source is 10.0.0.1/24  and destination is 194.0.0.1.

source is to be translated to 4.0.0.1 (One of PA's public ip address, outside zone) and destination is to be translated to  200.0.0.1 (Actual Destination servers IP in inetrnet)

194.0.0.1 is in Outside zone.

200.0.0.1 is in outside Zone.

Highlighted
L7 Applicator

You should create the rule in the direction you expect tcp to initiate the connection.  The initiator system is the source zone and the destination system is the destination zone.

You can see an example in the Understanding PA nat guide on page 24.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Highlighted
L3 Networker

For your example it should be like this:

Original Packet:

Source Zone: Internal

Destination Zone: Outside Zone

Destination IP: 194.0.0.1

Translation:

Source:

Dynamic IP and Port

Interface: External Interface with 4.0.0.1

Destination:

200.0.0.1

Security Policy:

Source Zone: Internal

Destination Zone: Outside Zone

Destination IP: 194.0.0.1

Highlighted
L3 Networker

Hi Arjun,

If the traffic is going from your internal zone to external (ex: internet) and you're natting both, your source zone will continue to be the internal zone.

For the destination zone, the firewall looks at the post NAT address and evaluates the interface where the packet should ultimately exit (by PBF or routing table).

Whatever zone this interface is in will be your destination zone.

Highlighted
Not applicable

How can NAT destination zone be based on Post NAT address as NAT policies only are applicable to Pre NAT destination address ?

Highlighted
L7 Applicator

The zone match for the nat rule is based on the original destination address.  But if that nat rule does a destination nat then the security policy rule that is needed to permit the traffic will be based on the destination nat address and not the original address zone.

Screen Shot 2015-01-15 at 8.37.38 PM.png

Packet Flow in PAN-OS

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!