Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

TYPICAL NAT QUESTIONS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TYPICAL NAT QUESTIONS

L1 Bithead

 

Hello,

I have a web server in DMZ with private ip address 192.168.10.100/24 and I would like all the traffic from outside should come to this server. My public ip is 1.1.1.2/255.255.255.248 which will bind to 192.168.10.100

To perfom this I can create a destination rule

FROM TO Source Destination Destination Translation Address (Static)
Untrust--> Untrust--> Any--> 1.1.1.2 192.168.10.100

The above rule will work correctly. My question is if i create Rules below what will happen

FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2

BI DIRECTIONAL checked


FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2

BI DIRECTIONAL checked

Will the above rule work and if it works is it a correct way to do this ?

1 accepted solution

Accepted Solutions

L6 Presenter

If you remove Bi-Directional check from Source NAT policy, then that policy will do specified Source NAT policy only.

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

View solution in original post

5 REPLIES 5

L6 Presenter

Hi @calabilla 

 

Bi-Directional static NAT option can be used when creating the Source NAT policy only. With bi-directional static NAT option checked, firewall will perform both Source NAT as well as Destination NAT translations.

 

With this option. when traffic is coming from your inside/DMZ server going towards internet, source IP will get NAT with given public IP. At the same time, if traffic is hitting public IP from internet ( from untrust zone ), then destination IP will be NAT with the given inside/DMZ IP.

 

In your examples, below example looks appropriate configuration of Source NAT with bi-directional checked.

 

FROM TO Source Destination Source Translation Address (Static)
DMZ--> Untrust--> 192.168.10.100 Any 1.1.1.2

BI DIRECTIONAL checked

 

In below case, you have marked private IP as a part of Untrust zone. Ideally, untrust zone should be the public IP from where internet traffic will come.

 

FROM TO Source Destination Source Translation Address (Static)
Untrust--> DMZ Any 192.168.10.100 1.1.1.2

BI DIRECTIONAL checked

 

Bi-directional NAT configuration has very specific use cases where it is must to enable it. I have seen most of it's use cases in Audio/Video traffic flows. 

 

Palo Alto KB article on Bi-Directional Static NAT

 

Hope it helps!

If you still have any queries, feel free to ask.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

The rule is this way

 

 

CHECK THE BELOW AND LET ME KNOW WILL IT WORK

 

SourceZone           Destination Zone         Source               Destination                 Translation Address (Static)
Untrust                      DMZ                              Any                192.168.10.100                  1.1.1.2

BI DIRECTIONAL checked

L6 Presenter

Hi @calabilla 

As I mentioned earlier, Bi-Directional static NAT applies to only Source NAT translations. Here in your examples, you are doing destination NAT.

 

SutareMayur_0-1729770761272.png

 

Ideally your Bi-Directional Static NAT should look like this. 

Here, consider WAN zone as Untrust.

 

SutareMayur_1-1729770905610.png

 

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

I never knew that Bidirectional NATworks with only Source NAT.

what will happen if i remove bidirectional check mark ? how would the NAT WORK in this scenario.

L6 Presenter

If you remove Bi-Directional check from Source NAT policy, then that policy will do specified Source NAT policy only.

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
  • 1 accepted solution
  • 937 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!